Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
XML-702.msi

Overview

General Information

Sample name:XML-702.msi
Analysis ID:1591190
MD5:17233cb43b4a16b35d9d174cfc88ec4a
SHA1:3831189838df5d113461823a1aa864d7572bedf5
SHA256:a78b24eacd8138edb9f0d440c2ffb98cee269ae32c8f8ba8790d4d60c2ee18e5
Tags:ateramsirmmuser-johnk3r
Infos:

Detection

AteraAgent
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AteraAgent
AI detected suspicious sample
Creates files in the system32 config directory
Installs Task Scheduler Managed Wrapper
Loading BitLocker PowerShell Module
Queries disk data (e.g. SMART data)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Potential PowerShell Command Line Obfuscation
Yara detected Generic Downloader
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7508 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\XML-702.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7556 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7632 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 880080BE1478B06580F06BAFC5D76649 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 7676 cmdline: rundll32.exe "C:\Windows\Installer\MSIA4ED.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5612890 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7732 cmdline: rundll32.exe "C:\Windows\Installer\MSIA82A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5613656 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7828 cmdline: rundll32.exe "C:\Windows\Installer\MSIB77D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5617562 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7424 cmdline: rundll32.exe "C:\Windows\Installer\MSICE75.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5623421 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 7888 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 5BF63B3DEC55F2B0AB21F4C24E7E610C E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • net.exe (PID: 7928 cmdline: "NET" STOP AteraAgent MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 7936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 7976 cmdline: C:\Windows\system32\net1 STOP AteraAgent MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • taskkill.exe (PID: 8000 cmdline: "TaskKill.exe" /f /im AteraAgent.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 8008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AteraAgent.exe (PID: 8064 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="contato@plasticoseireli.com.br" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q3000005bkCOIAY" /AgentId="129f3953-acb3-4c59-97d2-68ee1acc4037" MD5: 477293F80461713D51A98A24023D45E8)
    • msiexec.exe (PID: 7680 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 710833DCD7A2D76742D801FD4C065DF0 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 4144 cmdline: rundll32.exe "C:\Windows\Installer\MSI99A5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5675609 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
  • AteraAgent.exe (PID: 7264 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 2472 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7864 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "dd688ee6-da7a-489a-824e-4b2b8f963f93" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q3000005bkCOIAY MD5: 9D8D50D2789C2A8D847D7953518A96F6)
      • conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7832 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "2e37e1c0-19ef-487a-bbff-8667419be909" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q3000005bkCOIAY MD5: 9D8D50D2789C2A8D847D7953518A96F6)
      • conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 8148 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "a2b1d8f6-2f82-4898-80a5-6c64d88ad439" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q3000005bkCOIAY MD5: 9D8D50D2789C2A8D847D7953518A96F6)
      • conhost.exe (PID: 5592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 2476 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "c08b9836-612b-4f1a-a9b2-6d15dae1664b" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q3000005bkCOIAY MD5: 9D8D50D2789C2A8D847D7953518A96F6)
      • conhost.exe (PID: 5084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1148 cmdline: "powershell.exe" -NoProfile -Command " ################################################################################################ # Windows 11 Compatibility Check Script # ################################################################################################ # Compatibility flag $IsCompatible = $true # Check if current OS is Windows 10 $OSVersion = (Get-CimInstance -Class Win32_OperatingSystem).Caption if (-not $OSVersion.Contains('Windows 10')) { return } # Architecture x64 $Arch = (Get-CimInstance -Class CIM_ComputerSystem).SystemType $ArchValue = 'x64-based PC' if ($Arch -ne $ArchValue) { $IsCompatible = $false } # Screen Resolution $ScreenInfo = (Get-CimInstance -ClassName Win32_VideoController).CurrentVerticalResolution $ValueMin = 720 if ($ScreenInfo -le $ValueMin) { $IsCompatible = $false } # CPU composition $Core = (Get-CimInstance -Class CIM_Processor | Select-Object *).NumberOfCores $CoreValue = 2 $Frequency = (Get-CimInstance -Class CIM_Processor | Select-Object *).MaxClockSpeed $FrequencyValue = 1000 if (-not (($Core -ge $CoreValue) -and ($Frequency -ge $FrequencyValue))) { $IsCompatible = $false } # TPM $TPM2 = $false if ((Get-Tpm).ManufacturerVersionFull20) { $TPM2 = -not (Get-Tpm).ManufacturerVersionFull20.Contains('not supported') } if ($TPM2 -contains $false) { $IsCompatible = $false } # Secure Boot $SecureBoot = Confirm-SecureBootUEFI if ($SecureBoot -ne $true) { $IsCompatible = $false } # RAM available $Memory = (Get-CimInstance -Class CIM_ComputerSystem).TotalPhysicalMemory $SetMinMemory = 4294967296 if ($Memory -lt $SetMinMemory) { $IsCompatible = $false } # Storage available $ListDisk = Get-CimInstance -Class Win32_LogicalDisk | Where-Object { $_.DriveType -eq '3' } $SetMinSizeLimit = 64GB $DiskCompatible = $false foreach ($Disk in $ListDisk) { if ($Disk.FreeSpace -ge $SetMinSizeLimit) { $DiskCompatible = $true } } if (-not $DiskCompatible) { $IsCompatible = $false } # Output final result $IsCompatible " MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7952 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cscript.exe (PID: 7984 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
    • AgentPackageSTRemote.exe (PID: 7532 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "73baa492-8131-47bd-aef7-ff6f586897ca" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q3000005bkCOIAY MD5: 67FEF41237025021CD4F792E8C24E95A)
      • conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageMonitoring.exe (PID: 3940 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "83a39b31-6e02-450c-883e-7bcfe5037852" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q3000005bkCOIAY MD5: 810F893E58861909B134FA72E3BC90CD)
      • conhost.exe (PID: 4444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • AteraAgent.exe (PID: 2936 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 8172 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 6440 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "ad826f4a-bdf2-4b7c-85be-2ce6747e9604" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q3000005bkCOIAY MD5: 9D8D50D2789C2A8D847D7953518A96F6)
      • conhost.exe (PID: 7028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7180 cmdline: "powershell.exe" -NoProfile -Command " ################################################################################################ # Windows 11 Compatibility Check Script # ################################################################################################ # Compatibility flag $IsCompatible = $true # Check if current OS is Windows 10 $OSVersion = (Get-CimInstance -Class Win32_OperatingSystem).Caption if (-not $OSVersion.Contains('Windows 10')) { return } # Architecture x64 $Arch = (Get-CimInstance -Class CIM_ComputerSystem).SystemType $ArchValue = 'x64-based PC' if ($Arch -ne $ArchValue) { $IsCompatible = $false } # Screen Resolution $ScreenInfo = (Get-CimInstance -ClassName Win32_VideoController).CurrentVerticalResolution $ValueMin = 720 if ($ScreenInfo -le $ValueMin) { $IsCompatible = $false } # CPU composition $Core = (Get-CimInstance -Class CIM_Processor | Select-Object *).NumberOfCores $CoreValue = 2 $Frequency = (Get-CimInstance -Class CIM_Processor | Select-Object *).MaxClockSpeed $FrequencyValue = 1000 if (-not (($Core -ge $CoreValue) -and ($Frequency -ge $FrequencyValue))) { $IsCompatible = $false } # TPM $TPM2 = $false if ((Get-Tpm).ManufacturerVersionFull20) { $TPM2 = -not (Get-Tpm).ManufacturerVersionFull20.Contains('not supported') } if ($TPM2 -contains $false) { $IsCompatible = $false } # Secure Boot $SecureBoot = Confirm-SecureBootUEFI if ($SecureBoot -ne $true) { $IsCompatible = $false } # RAM available $Memory = (Get-CimInstance -Class CIM_ComputerSystem).TotalPhysicalMemory $SetMinMemory = 4294967296 if ($Memory -lt $SetMinMemory) { $IsCompatible = $false } # Storage available $ListDisk = Get-CimInstance -Class Win32_LogicalDisk | Where-Object { $_.DriveType -eq '3' } $SetMinSizeLimit = 64GB $DiskCompatible = $false foreach ($Disk in $ListDisk) { if ($Disk.FreeSpace -ge $SetMinSizeLimit) { $DiskCompatible = $true } } if (-not $DiskCompatible) { $IsCompatible = $false } # Output final result $IsCompatible " MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageUpgradeAgent.exe (PID: 7912 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "01be1e33-edd2-4b80-ad30-0a2ff62d8a90" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q3000005bkCOIAY MD5: E9794F785780945D2DDE78520B9BB59F)
      • conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 6024 cmdline: "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart MD5: E5DA170027542E25EDE42FC54C929077)
    • AgentPackageTicketing.exe (PID: 1284 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "bb91c3ae-13a9-46d3-b7cd-8a12a2b5a6f8" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q3000005bkCOIAY MD5: 2EC1D28706B9713026E8C6814E231D7C)
      • conhost.exe (PID: 3176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageProgramManagement.exe (PID: 2692 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "337a6611-035b-4530-8875-95d63c915d31" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q3000005bkCOIAY MD5: CB9890B01A396F64D702AD10F441003A)
      • conhost.exe (PID: 2656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageInternalPoller.exe (PID: 980 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "5898f009-0c88-42d0-af0f-4e5a5d40fd4a" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q3000005bkCOIAY MD5: 01807774F043028EC29982A62FA75941)
      • conhost.exe (PID: 8048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageOsUpdates.exe (PID: 7828 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "898b7d78-f877-4008-88ae-7d7cecc198d8" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q3000005bkCOIAY MD5: D0D21E16E57A1A73056EAE228DA1E287)
      • conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageHeartbeat.exe (PID: 5516 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "6f5a73d1-06cd-46b4-86b8-fdba5613e7c2" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q3000005bkCOIAY MD5: 797C9554EC56FD72EBB3F6F6BEF67FB5)
      • conhost.exe (PID: 940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageMonitoring.exe (PID: 5236 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "d73a02c6-2491-46af-96a3-8578313e700f" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q3000005bkCOIAY MD5: 810F893E58861909B134FA72E3BC90CD)
      • conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageADRemote.exe (PID: 5172 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "49f83d36-063d-4873-a1b6-871acf3a8149" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" 001Q3000005bkCOIAY MD5: 3180C705182447F4BCC7CE8E2820B25D)
      • conhost.exe (PID: 1524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • sppsvc.exe (PID: 7976 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)
  • svchost.exe (PID: 7272 cmdline: C:\Windows\System32\svchost.exe -k smphost MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • AgentPackageUpgradeAgent.exe (PID: 412 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun MD5: E9794F785780945D2DDE78520B9BB59F)
    • conhost.exe (PID: 2804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\Temp\~DF19F6CA16E441F4BA.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
    C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLogJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
      C:\Windows\Temp\~DF1F0D1A244819E315.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
        C:\Config.Msi\55a386.rbsJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
          C:\Windows\Installer\MSICE75.tmp-\AlphaControlAgentInstallation.dllJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
            Click to see the 107 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            0000003A.00000002.2517634081.000001EBDEE90000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
              00000018.00000002.1946436379.000001E528A6B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                0000000C.00000002.1818118229.00000160398AA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                  00000034.00000002.2881869825.0000021745187000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                    0000001A.00000002.2835769180.000002BB77438000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                      Click to see the 416 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      46.0.AgentPackageUpgradeAgent.exe.2788cf60000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                        19.2.AgentPackageAgentInformation.exe.24147520000.1.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                          65.2.AgentPackageADRemote.exe.1a26f8a0000.1.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                            65.2.AgentPackageADRemote.exe.1a26f8a0000.1.unpackyara_runascsunknownSekoia.io
                            • 0xda34:$s1: RunasCs
                            • 0xf822:$s1: RunasCs
                            • 0x10050:$s1: RunasCs
                            • 0x100eb:$s1: RunasCs
                            • 0x1018a:$s1: RunasCs
                            • 0x10211:$s1: RunasCs
                            • 0x1029e:$s1: RunasCs
                            • 0x103ad:$s1: RunasCs
                            • 0x103ef:$s1: RunasCs
                            • 0x1050f:$s1: RunasCs
                            • 0x10b55:$s1: RunasCs
                            • 0x10de9:$s1: RunasCs
                            • 0x10e6b:$s1: RunasCs
                            • 0x119d5:$s1: RunasCs
                            • 0x11a87:$s1: RunasCs
                            • 0x11b85:$s1: RunasCs
                            • 0x11cc1:$s1: RunasCs
                            • 0x11e43:$s1: RunasCs
                            • 0x1361d:$s1: RunasCs
                            • 0xafe9:$s2: LOGON32_LOGON_INTERACTIVE
                            • 0xb036:$s3: LOGON32_LOGON_NETWORK
                            60.2.AgentPackageHeartbeat.exe.1c876970000.1.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                              Click to see the 17 entries

                              Sigma Signatures

                              System Summary

                              barindex
                              Sigma detected: Potential PowerShell Command Line Obfuscation
                              Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "powershell.exe" -NoProfile -Command " ################################################################################################ # Windows 11 Compatibility Check Script # ################################################################################################ # Compatibility flag $IsCompatible = $true # Check if current OS is Windows 10 $OSVersion = (Get-CimInstance -Class Win32_OperatingSystem).Caption if (-not $OSVersion.Contains('Windows 10')) { return } # Architecture x64 $Arch = (Get-CimInstance -Class CIM_ComputerSystem).SystemType $ArchValue = 'x64-based PC' if ($Arch -ne $ArchValue) { $IsCompatible = $false } # Screen Resolution $ScreenInfo = (Get-CimInstance -ClassName Win32_VideoController).CurrentVerticalResolution $ValueMin = 720 if ($ScreenInfo -le $ValueMin) { $IsCompatible = $false } # CPU composition $Core = (Get-CimInstance -Class CIM_Processor | Select-Object *).NumberOfCores $CoreValue = 2 $Frequency = (Get-CimInstance -Class CIM_Processor | Select-Object *).MaxClockSpeed $FrequencyValue = 1000 if (-not (($Core -ge $CoreValue) -and ($Frequency -ge $FrequencyValue))) { $IsCompatible = $false } # TPM $TPM2 = $false if ((Get-Tpm).ManufacturerVersionFull20) { $TPM2 = -not (Get-Tpm).ManufacturerVersionFull20.Contains('not supported') } if ($TPM2 -contains $false) { $IsCompatible = $false } # Secure Boot $SecureBoot = Confirm-SecureBootUEFI if ($SecureBoot -ne $true) { $IsCompatible = $false } # RAM available $Memory = (Get-CimInstance -Class CIM_ComputerSystem).TotalPhysicalMemory $SetMinMemory = 4294967296 if ($Memory -lt $SetMinMemory) { $IsCompatible = $false } # Storage available $ListDisk = Get-CimInstance -Class Win32_LogicalDisk | Where-Object { $_.DriveType -eq '3' } $SetMinSizeLimit = 64GB $DiskCompatible = $false foreach ($Disk in $ListDisk) { if ($Disk.FreeSpace -ge $SetMinSizeLimit) { $DiskCompatible = $true } } if (-not $DiskCompatible) { $IsCompatible = $false } # Output final result $IsCompatible ", CommandLine: "powershell.exe" -NoProfile -Command " ################################################################################################ # Windows 11 Compatibility Check Script # ################################################################################################ # Compatibility flag $IsCompatible = $true # Check if current OS is Windows 10 $OSVersion = (Get-CimInstance -Class Win32_OperatingSystem).Caption if (-not $OSVersion.Contains('Windows 10')) {
                              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                              Source: Process startedAuthor: Michael Haag: Data: Command: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7952, ParentProcessName: cmd.exe, ProcessCommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ProcessId: 7984, ProcessName: cscript.exe
                              Sigma detected: Net.exe Execution
                              Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 5BF63B3DEC55F2B0AB21F4C24E7E610C E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7888, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 7928, ProcessName: net.exe
                              Sigma detected: Non Interactive PowerShell Process Spawned
                              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -NoProfile -Command " ################################################################################################ # Windows 11 Compatibility Check Script # ################################################################################################ # Compatibility flag $IsCompatible = $true # Check if current OS is Windows 10 $OSVersion = (Get-CimInstance -Class Win32_OperatingSystem).Caption if (-not $OSVersion.Contains('Windows 10')) { return } # Architecture x64 $Arch = (Get-CimInstance -Class CIM_ComputerSystem).SystemType $ArchValue = 'x64-based PC' if ($Arch -ne $ArchValue) { $IsCompatible = $false } # Screen Resolution $ScreenInfo = (Get-CimInstance -ClassName Win32_VideoController).CurrentVerticalResolution $ValueMin = 720 if ($ScreenInfo -le $ValueMin) { $IsCompatible = $false } # CPU composition $Core = (Get-CimInstance -Class CIM_Processor | Select-Object *).NumberOfCores $CoreValue = 2 $Frequency = (Get-CimInstance -Class CIM_Processor | Select-Object *).MaxClockSpeed $FrequencyValue = 1000 if (-not (($Core -ge $CoreValue) -and ($Frequency -ge $FrequencyValue))) { $IsCompatible = $false } # TPM $TPM2 = $false if ((Get-Tpm).ManufacturerVersionFull20) { $TPM2 = -not (Get-Tpm).ManufacturerVersionFull20.Contains('not supported') } if ($TPM2 -contains $false) { $IsCompatible = $false } # Secure Boot $SecureBoot = Confirm-SecureBootUEFI if ($SecureBoot -ne $true) { $IsCompatible = $false } # RAM available $Memory = (Get-CimInstance -Class CIM_ComputerSystem).TotalPhysicalMemory $SetMinMemory = 4294967296 if ($Memory -lt $SetMinMemory) { $IsCompatible = $false } # Storage available $ListDisk = Get-CimInstance -Class Win32_LogicalDisk | Where-Object { $_.DriveType -eq '3' } $SetMinSizeLimit = 64GB $DiskCompatible = $false foreach ($Disk in $ListDisk) { if ($Disk.FreeSpace -ge $SetMinSizeLimit) { $DiskCompatible = $true } } if (-not $DiskCompatible) { $IsCompatible = $false } # Output final result $IsCompatible ", CommandLine: "powershell.exe" -NoProfile -Command " ################################################################################################ # Windows 11 Compatibility Check Script # ################################################################################################ # Compatibility flag $IsCompatible = $true # Check if current OS is Windows 10 $OSVersion = (Get-CimInstance -Class Win32_OperatingSystem).Caption if (-not $OSVersion.Contains('Windows 10')) {
                              Sigma detected: Stop Windows Service Via Net.EXE
                              Source: Process startedAuthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 5BF63B3DEC55F2B0AB21F4C24E7E610C E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7888, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 7928, ProcessName: net.exe
                              Sigma detected: Windows Processes Suspicious Parent Directory
                              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k smphost, CommandLine: C:\Windows\System32\svchost.exe -k smphost, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k smphost, ProcessId: 7272, ProcessName: svchost.exe

                              Suricata Signatures

                              No Suricata rule has matched

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Multi AV Scanner detection for dropped file
                              Source: 55a38c.rbf (copy)ReversingLabs: Detection: 26%
                              Source: 55a38c.rbf (copy)Virustotal: Detection: 27%Perma Link
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeReversingLabs: Detection: 26%
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeVirustotal: Detection: 27%Perma Link
                              Multi AV Scanner detection for submitted file
                              Source: XML-702.msiReversingLabs: Detection: 28%
                              AI detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.2% probability
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F4E20 CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptEncrypt,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,CryptDestroyHash,35_2_00007FFDEE3F4E20
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F4DE0 CryptReleaseContext,35_2_00007FFDEE3F4DE0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F4BC0 CryptAcquireContextW,GetLastError,CryptReleaseContext,CryptReleaseContext,CryptReleaseContext,35_2_00007FFDEE3F4BC0
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\sharedJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.AppJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.IsolatedStorage.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Compression.ZipFile.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.Encodings.Web.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.FileVersionInfo.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Memory.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Ping.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Configuration.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Collections.Immutable.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\coreclr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Web.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Transactions.Local.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Tasks.Extensions.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Mail.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.DiagnosticSource.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Web.HttpUtility.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.VisualBasic.Core.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Timer.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.HttpListener.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.Win32.Primitives.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\clretwrc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.CSharp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Claims.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.Xml.Linq.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.NETCore.App.runtimeconfig.jsonJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ObjectModel.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Collections.NonGeneric.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.SecureString.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Extensions.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Compression.FileSystem.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.DataContractSerialization.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Overlapped.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Thread.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.Process.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Primitives.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.InteropServices.JavaScript.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.Tools.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Numerics.Vectors.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XmlDocument.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.WebHeaderCollection.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Buffers.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.Uri.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.DataAnnotations.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XDocument.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.AccessControl.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.Annotations.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.InteropServices.RuntimeInformation.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.TextWriterTraceListener.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Pipes.AccessControl.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Primitives.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Collections.Concurrent.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ServiceProcess.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\mscordaccore.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.Debug.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Data.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.WebSockets.Client.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Linq.Queryable.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Globalization.Calendars.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Linq.Expressions.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Tasks.Dataflow.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.Json.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Loader.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.NetworkInformation.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Linq.Parallel.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.Primitives.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Console.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Tasks.Parallel.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.FileSystem.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ServiceModel.Web.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Data.Common.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Principal.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.ReaderWriter.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\mscordbi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.Json.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Pipes.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Resources.ResourceManager.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.FileSystem.DriveInfo.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Primitives.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Csp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Principal.Windows.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.CompilerServices.Unsafe.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XmlSerializer.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Emit.ILGeneration.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Tasks.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Compression.Brotli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.WebProxy.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.FileSystem.Watcher.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.Primitives.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.InteropServices.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.CompilerServices.VisualC.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.Xml.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Windows.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\mscorlib.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Collections.Specialized.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Sockets.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Resources.Reader.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ValueTuple.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.MemoryMappedFiles.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Globalization.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XPath.XDocument.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Security.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.Encoding.Extensions.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Formats.Asn1.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.FileSystem.Primitives.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.NameResolution.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.StackTrace.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Drawing.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.DiaSymReader.Native.amd64.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\hostpolicy.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.ServicePoint.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.VisualBasic.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\WindowsBase.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\clrjit.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\mscordaccore_amd64_amd64_8.0.1124.51707.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.ThreadPool.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Intrinsics.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Quic.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Transactions.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Channels.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Numerics.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Metadata.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.AppContext.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Dynamic.Runtime.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Formats.Tar.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Http.Json.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.Tracing.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Globalization.Extensions.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Emit.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.TypeConverter.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Linq.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Compression.Native.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.CoreLib.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Cng.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.UnmanagedMemoryStream.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Collections.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XPath.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Data.DataSetExtensions.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.WebClient.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.EventBasedAsync.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Algorithms.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Handles.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.WebSockets.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.RegularExpressions.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.Win32.Registry.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\createdump.exeJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Compression.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.Formatters.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Drawing.Primitives.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.FileSystem.AccessControl.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Emit.Lightweight.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\mscorrc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.Encoding.CodePages.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Http.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.Xml.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\.versionJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Extensions.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Numerics.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Requests.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.TypeExtensions.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.DispatchProxy.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.Encoding.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.Serialization.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Resources.Writer.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.TraceSource.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\netstandard.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.NETCore.App.deps.jsonJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Encoding.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Core.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.X509Certificates.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.Contracts.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.OpenSsl.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.Linq.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\clrgc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\msquic.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\hostJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxrJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxr\8.0.11Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxr\8.0.11\hostfxr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\dotnet.exeJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\LICENSE.txtJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\ThirdPartyNotices.txtJump to behavior
                              Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\AteraSetupLog.txt
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\LICENSE.txtJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\LICENSE.txt
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7zip.license.txt
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.license.txt
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.license.txt
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\LICENSE.txt
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7zip.license.txt
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.license.txt
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.license.txt
                              Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000023.00000002.2067391884.000001ED9CC02000.00000002.00000001.01000000.00000022.sdmp
                              Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2633277895.000002788D93C000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: AgentPackageOsUpdates.exe, 0000003A.00000002.2721408614.000001EBF7F92000.00000002.00000001.01000000.0000004A.sdmp
                              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2633277895.000002788D93C000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb8 source: AgentPackageAgentInformation.exe, 00000012.00000000.1900225335.000001F8FA9C2000.00000002.00000001.01000000.00000016.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000C.00000000.1785622783.0000016037B32000.00000002.00000001.01000000.0000000F.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000013.00000002.1935279763.0000024147522000.00000002.00000001.01000000.00000018.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2863025472.0000021744632000.00000002.00000001.01000000.0000004F.sdmp, AgentPackageHeartbeat.exe, 0000003C.00000002.2482061773.000001C876972000.00000002.00000001.01000000.00000039.sdmp
                              Source: Binary string: mscorlib.pdbVd" source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2633277895.000002788D900000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb@ source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2633277895.000002788D93C000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000000.2278180476.000002788CF62000.00000002.00000001.01000000.00000027.sdmp
                              Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000023.00000002.2075944227.000001ED9CFD2000.00000002.00000001.01000000.00000026.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbd source: AgentPackageUpgradeAgent.exe, 0000002E.00000000.2278180476.000002788CF62000.00000002.00000001.01000000.00000027.sdmp
                              Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2071961959.000001ED9CE32000.00000002.00000001.01000000.00000024.sdmp
                              Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2044948171.000001ED84442000.00000002.00000001.01000000.00000020.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdbSHA256G source: AgentPackageInternalPoller.exe, 00000039.00000002.2441143442.000001C502652000.00000002.00000001.01000000.00000035.sdmp
                              Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net6.0-Release/System.Diagnostics.EventLog.pdbSHA256 source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: C:\Windows\AgentPackageUpgradeAgent.pdbpdbent.pdb| source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2633277895.000002788D93C000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: dows\dll\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2633277895.000002788D93C000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00363000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb8 source: AgentPackageProgramManagement.exe, 00000034.00000002.2863025472.0000021744632000.00000002.00000001.01000000.0000004F.sdmp
                              Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdbSHA256 source: AgentPackageInternalPoller.exe, 00000039.00000002.2513871294.000001C51AF72000.00000002.00000001.01000000.0000003E.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000003.00000003.1719314198.0000000004960000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.000000000468A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.0000000004775000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004DDB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.000000000478E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb-a source: AgentPackageADRemote.exe, 00000041.00000002.2472321285.000001A26F8A2000.00000002.00000001.01000000.00000036.sdmp
                              Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: AteraAgent.exe, 0000001A.00000002.2905521031.000002BB78966000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\A\_work\39\s\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net45\System.Runtime.InteropServices.RuntimeInformation.pdb source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000C.00000000.1785622783.0000016037B32000.00000002.00000001.01000000.0000000F.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageADRemote\AgentPackageADRemote\obj\Release\AgentPackageADRemote.pdb source: AgentPackageADRemote.exe, 00000041.00000000.2371571451.000001A26F542000.00000002.00000001.01000000.00000033.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb!_;_ -__CorDllMainmscoree.dll source: AgentPackageOsUpdates.exe, 0000003A.00000002.2520013020.000001EBDEFA2000.00000002.00000001.01000000.00000041.sdmp
                              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00845000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdb source: AgentPackageOsUpdates.exe, 0000003A.00000002.2712671371.000001EBF7DC2000.00000002.00000001.01000000.00000047.sdmp
                              Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdbd source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2633277895.000002788D93C000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageInternalPoller\AgentPackageInternalPoller\obj\Release\AgentPackageInternalPoller.pdb source: AgentPackageInternalPoller.exe, 00000039.00000000.2350687897.000001C501D32000.00000002.00000001.01000000.0000002E.sdmp
                              Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000D.00000002.2325257531.0000024DFA5C2000.00000002.00000001.01000000.0000002B.sdmp
                              Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000D.00000002.2325257531.0000024DFA5C2000.00000002.00000001.01000000.0000002B.sdmp
                              Source: Binary string: \REGISTRY\USER\S-1-5-18ll\mscorlib.pdb source: AgentPackageOsUpdates.exe, 0000003A.00000002.2679052691.000001EBF7CCD000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2074096333.000001ED9CF12000.00000002.00000001.01000000.00000025.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2071374320.000001ED9CDB2000.00000002.00000001.01000000.00000023.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\AgentPackageProgramManagement\obj\Release\AgentPackageProgramManagement.pdb source: AgentPackageProgramManagement.exe, 00000034.00000000.2315651131.0000021743E12000.00000002.00000001.01000000.0000002A.sdmp
                              Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000023.00000002.2071961959.000001ED9CE32000.00000002.00000001.01000000.00000024.sdmp
                              Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net6.0-Release/System.Diagnostics.EventLog.pdb source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\ThirdPartyPackageManager\obj\Release\ThirdPartyPackageManager.pdb source: AgentPackageProgramManagement.exe, 00000034.00000002.2860890120.0000021744182000.00000002.00000001.01000000.0000004E.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 00000012.00000000.1900225335.000001F8FA9C2000.00000002.00000001.01000000.00000016.sdmp
                              Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2067391884.000001ED9CC02000.00000002.00000001.01000000.00000022.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdbb source: AgentPackageMonitoring.exe, 00000023.00000000.1997512285.000001ED83A62000.00000002.00000001.01000000.0000001D.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000003.00000003.1719314198.0000000004960000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.000000000468A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.0000000004775000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004DDB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.000000000478E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2596216514.000000D011593000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1840000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1BD9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1937350765.000001F8FBAC2000.00000002.00000001.01000000.00000019.sdmp
                              Source: Binary string: ]c:\borrar\EmptyDll\Release\EmptyDll.pdb source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175DAA4000.00000002.00000001.01000000.00000055.sdmp
                              Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256~ source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00363000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1840000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1BD9000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1937350765.000001F8FBAC2000.00000002.00000001.01000000.00000019.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2074096333.000001ED9CF12000.00000002.00000001.01000000.00000025.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2801505651.00000278A61A2000.00000002.00000001.01000000.0000004C.sdmp
                              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00845000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdbTlnl `l_CorExeMainmscoree.dll source: AgentPackageTicketing.exe, 00000031.00000000.2306992769.000002B19E262000.00000002.00000001.01000000.00000028.sdmp
                              Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbiiiGCTL source: AteraAgent.exe, 0000001A.00000002.2905521031.000002BB78966000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2801505651.00000278A61A2000.00000002.00000001.01000000.0000004C.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates\obj\Release\AgentPackageOsUpdates.pdb source: AgentPackageOsUpdates.exe, 0000003A.00000000.2357284880.000001EBDEB32000.00000002.00000001.01000000.00000031.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AgentPackageMonitoring.exe, 00000023.00000000.1997512285.000001ED83A62000.00000002.00000001.01000000.0000001D.sdmp
                              Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2633277895.000002788D8F2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB0xY source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2596216514.000000D011593000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2596216514.000000D011593000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdb source: AgentPackageInternalPoller.exe, 00000039.00000002.2513871294.000001C51AF72000.00000002.00000001.01000000.0000003E.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb source: AgentPackageADRemote.exe, 00000041.00000002.2472321285.000001A26F8A2000.00000002.00000001.01000000.00000036.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageHeartbeat\AgentPackageHeartbeat\obj\Release\AgentPackageHeartbeat.pdb source: AgentPackageHeartbeat.exe, 0000003C.00000000.2360977193.000001C876612000.00000002.00000001.01000000.00000032.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb4X source: AgentPackageHeartbeat.exe, 0000003C.00000002.2482061773.000001C876972000.00000002.00000001.01000000.00000039.sdmp
                              Source: Binary string: c:\borrar\EmptyDll\Release\EmptyDll.pdb source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175DAA4000.00000002.00000001.01000000.00000055.sdmp
                              Source: Binary string: C:\buildAgent\work\1b72bc6dac87fa71\code_drop\merge\chocolatey.pdb source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175DAA4000.00000002.00000001.01000000.00000055.sdmp
                              Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdbSHA256I5 source: AgentPackageOsUpdates.exe, 0000003A.00000002.2712671371.000001EBF7DC2000.00000002.00000001.01000000.00000047.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000003.00000003.1719314198.0000000004960000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.000000000468A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.0000000004775000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004DDB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.000000000478E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000023.00000002.2044948171.000001ED84442000.00000002.00000001.01000000.00000020.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000013.00000002.1935279763.0000024147522000.00000002.00000001.01000000.00000018.sdmp
                              Source: Binary string: PC:\Windows\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2596216514.000000D011593000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: pC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2596216514.000000D011593000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\symbols\exe\AgentPackageUpgradeAgent.pdb7 source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2633277895.000002788D93C000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: mscorlib.pdb source: AgentPackageOsUpdates.exe, 0000003A.00000002.2738724313.000001EBF8150000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2101959263.00007FFDEE53A000.00000002.00000001.01000000.0000001E.sdmp, AgentPackageMonitoring.exe, 0000003E.00000002.3119400681.00007FFDF34FC000.00000002.00000001.01000000.0000001E.sdmp
                              Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000C.00000002.1819255706.00000160520C2000.00000002.00000001.01000000.00000011.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb source: AgentPackageOsUpdates.exe, 0000003A.00000002.2520013020.000001EBDEFA2000.00000002.00000001.01000000.00000041.sdmp
                              Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000C.00000002.1819255706.00000160520C2000.00000002.00000001.01000000.00000011.sdmp
                              Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2075944227.000001ED9CFD2000.00000002.00000001.01000000.00000026.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdb source: AgentPackageInternalPoller.exe, 00000039.00000002.2441143442.000001C502652000.00000002.00000001.01000000.00000035.sdmp
                              Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2596216514.000000D011593000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbdeAgent.pdbx source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2596216514.000000D011593000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb source: AgentPackageTicketing.exe, 00000031.00000000.2306992769.000002B19E262000.00000002.00000001.01000000.00000028.sdmp
                              Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: c:
                              Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-CheckSumValid.ps1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Format-FileSize.ps1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariableNames.ps1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariable.ps1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyUnzip.ps1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyWebFile.ps1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3F1FFFh12_2_00007FFD9B3F1FAC
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3F1873h12_2_00007FFD9B3F172D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3F4ECBh13_2_00007FFD9B3F4E6B
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B41C1B2h26_2_00007FFD9B41BE3B
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B404ECBh26_2_00007FFD9B404E45
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B41C1B2h26_2_00007FFD9B41BE60
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B622EE0h26_2_00007FFD9B622C39
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then dec eax26_2_00007FFD9B621FB5
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B624859h26_2_00007FFD9B6246E0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B401873h26_2_00007FFD9B400C58
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B40227Bh26_2_00007FFD9B400C58

                              Networking

                              barindex
                              System process connects to network (likely due to code injection or exploit)
                              Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                              Yara detected Generic Downloader
                              Source: Yara matchFile source: 18.0.AgentPackageAgentInformation.exe.1f8fa9c0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 52.2.AgentPackageProgramManagement.exe.2175d820000.6.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\netstandard.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: [Facebook](https://www.facebook.com/realvnc) | [Twitter](https://twitter.com/realvnc) | [Linkedin](https://www.linkedin.com/company/realvnc) | [YouTube](https://www.youtube.com/user/RealVNCLtd) equals www.facebook.com (Facebook)
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: [Facebook](https://www.facebook.com/realvnc) | [Twitter](https://twitter.com/realvnc) | [Linkedin](https://www.linkedin.com/company/realvnc) | [YouTube](https://www.youtube.com/user/RealVNCLtd) equals www.linkedin.com (Linkedin)
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: [Facebook](https://www.facebook.com/realvnc) | [Twitter](https://twitter.com/realvnc) | [Linkedin](https://www.linkedin.com/company/realvnc) | [YouTube](https://www.youtube.com/user/RealVNCLtd) equals www.twitter.com (Twitter)
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: [Facebook](https://www.facebook.com/realvnc) | [Twitter](https://twitter.com/realvnc) | [Linkedin](https://www.linkedin.com/company/realvnc) | [YouTube](https://www.youtube.com/user/RealVNCLtd) equals www.youtube.com (Youtube)
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB0022F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.Z
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00859000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB0022F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.WATCHDOG/2.0/AGENT.PACKAGE.WATCHDOG.ZIP
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEAGENTINFORMATION/38.8/AGENTPACKAGEAGENTINFORMATI
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/38.1/AGENTPACKAGEMONITORING.ZIP
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEPROGRAMMANAGEMENT/26.7/AGENTPACKAGEPROGRAMMANAGE
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB0022F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLE
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESTREMOTE/24.3/AGENTPACKAGESTREMOTE.ZIP
                              Source: AgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DB2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a6dc35606b2c6816e.awsglobalaccelerator.com
                              Source: AteraAgent.exe, 0000000C.00000000.1785622783.0000016037B32000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1551000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acontrol.atera.com/
                              Source: rundll32.exe, 00000004.00000002.1761638743.00000000048F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1832000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE189C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1881000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1981000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1BAB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1992000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1867277939.0000000005395000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1933854948.000001F8801A2000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1935801016.0000024147C12000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB003F1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A17AB000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A18C0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A1845000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2045546102.000001ED84A45000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.3270482818.000001A3002CA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744F89000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000039.00000002.2442123567.000001C5027CF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5B1A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://agent-api.atera.com
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A17AB000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A18C0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A1845000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2045546102.000001ED84A45000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.3270482818.000001A3002CA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744F89000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000039.00000002.2442123567.000001C5027CF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5B1A3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5B085000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
                              Source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2650363249.000002788DB61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blob.ams08prdstr06a.store.core.windows.net
                              Source: AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9EBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
                              Source: AteraAgent.exe, 0000000D.00000002.2248265450.0000024DE0D46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021745093000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175DAA4000.00000002.00000001.01000000.00000055.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1840000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9EBD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1C6B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1BD9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2327854230.0000024DFA71D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA36B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00363000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00954000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2905521031.000002BB78966000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00845000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB006EA000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021745093000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175DAA4000.00000002.00000001.01000000.00000055.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                              Source: AgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DBD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4Cod
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE18CB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1D68000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1881000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1981000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1C0C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB007BD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00570000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00664000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB009A1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB004AD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00454000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB006AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                              Source: AteraAgent.exe, 0000000C.00000002.1818790542.000001605204D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1818118229.00000160398B9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1818790542.0000016051FF8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2312265733.0000024DF9E20000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1840000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9EBD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1C6B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1BD9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2326587928.0000024DFA6ED000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2327854230.0000024DFA71D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA36B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA280000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9E99000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2248265450.0000024DE0D46000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1BF4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB007BD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00363000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00658000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB003F1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00664000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                              Source: AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA280000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt6
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1818790542.0000016051FF8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1840000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1C6B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1BD9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA36B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA310000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00363000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2905521031.000002BB788F2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00954000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2905521031.000002BB78910000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2905521031.000002BB78966000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00845000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB006EA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DBC1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DB47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2312265733.0000024DF9E20000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1840000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1C6B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1BD9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA36B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA2E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA310000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9E99000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2248265450.0000024DE0D46000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA2FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1937869439.000001F8FBBEC000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1938279305.000002416044F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1938279305.00000241603F7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00363000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2865906697.000002BB77BBE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cdn.rawgit.com/chocolatey/chocolatey-coreteampackages/50fd97744110dcbce1acde889c0870599c9d558
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: http://cdn.rubyinstaller.org/archives/devkits/DevKit-mingw64-32-4.7.2-20130224-1151-sfx.exe
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: http://cdn.rubyinstaller.org/archives/devkits/DevKit-mingw64-64-4.7.2-20130224-1432-sfx.exe
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744F80000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744F89000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744A95000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744A9D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744C9B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744DEA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744BFE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744AF1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744DF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://community.chocolatey.org/api/v2/
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744F89000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744BFE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744DF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://community.chocolatey.org/api/v2/8
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744C9B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744BFE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://community.chocolatey.org/api/v2/Packages(Id=
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744AED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744F80000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744A95000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744DEA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744AF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://community.chocolatey.org/api/v2/Search
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744AED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744A95000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744C9B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744BFE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744A99000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744AF1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744C8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://community.chocolatey.org/api/v2/Search?searchTerm=
                              Source: powershell.exe, 0000001F.00000002.2064290536.000001FC69251000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                              Source: powershell.exe, 0000002C.00000002.3105566513.0000027DFDA0B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                              Source: powershell.exe, 0000002C.00000002.3105566513.0000027DFDA0B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                              Source: AgentPackageAgentInformation.exe, 00000012.00000002.1937869439.000001F8FBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro4
                              Source: AgentPackageAgentInformation.exe, 00000012.00000002.1937869439.000001F8FBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsl
                              Source: AgentPackageAgentInformation.exe, 00000012.00000002.1937869439.000001F8FBC30000.00000004.00000020.00020000.00000000.sdmp, AgentPackageHeartbeat.exe, 0000003C.00000002.2504763682.000001C877AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3122924475.000002175D2B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                              Source: AteraAgent.exe, 0000000C.00000002.1818790542.000001605204D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1840000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9EBD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1C6B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1BD9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2327854230.0000024DFA71D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA36B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00363000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00954000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2905521031.000002BB78966000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00845000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB006EA000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021745093000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175DAA4000.00000002.00000001.01000000.00000055.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                              Source: AteraAgent.exe, 0000000C.00000002.1818790542.00000160520A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1819496130.00000160522F4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1818790542.0000016051FC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1816839322.0000016037D80000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1818790542.000001605207C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                              Source: AteraAgent.exe, 0000000C.00000002.1818790542.000001605204D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1818118229.00000160398B9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1818790542.0000016051FF8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE18CB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2312265733.0000024DF9E20000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1840000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9EBD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1D68000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1C6B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1BD9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2326587928.0000024DFA6ED000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2327854230.0000024DFA71D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1881000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA36B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1981000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA280000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9E99000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1C0C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2248265450.0000024DE0D46000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1BF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                              Source: AteraAgent.exe, 0000001A.00000002.2865906697.000002BB77BE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlhttp://crl4.digicert.co
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1818790542.0000016051FF8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1840000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1C6B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1BD9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA36B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA310000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00363000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2905521031.000002BB788F2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00954000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2905521031.000002BB78910000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2905521031.000002BB78966000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00845000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB006EA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DBC1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DB47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                              Source: AteraAgent.exe, 0000000C.00000002.1818790542.000001605204D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1819496130.0000016052313000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
                              Source: AgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DB47000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2715960566.00000154762D0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2077965051.000001ED9DDC0000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000027.00000002.2144222071.000001B082851000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000027.00000003.2141191835.000001B08281E000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000027.00000003.2142411445.000001B082851000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.3128965584.0000027DFE540000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002E.00000002.2650363249.000002788DB84000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002E.00000002.2633277895.000002788D900000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002E.00000002.2650363249.000002788DB88000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002E.00000002.2601763540.000002788D1CD000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002E.00000002.2601763540.000002788D16D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3122924475.000002175D2B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000039.00000002.2495587234.000001C51AEBA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 0000003A.00000002.2738724313.000001EBF8168000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 0000003A.00000002.2496732047.000001EBDECFA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageHeartbeat.exe, 0000003C.00000002.2497522063.000001C877939000.00000004.00000020.00020000.00000000.sdmp, AgentPackageHeartbeat.exe, 0000003C.00000002.2497522063.000001C877918000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003E.00000002.2927378013.000001FC745F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                              Source: AteraAgent.exe, 0000000C.00000002.1818790542.000001605204D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlK
                              Source: AteraAgent.exe, 0000000C.00000002.1818790542.0000016051FC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
                              Source: AteraAgent.exe, 0000000C.00000002.1818790542.000001605204D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlw
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
                              Source: AteraAgent.exe, 0000000C.00000002.1819496130.00000160522F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/h
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021745093000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175DAA4000.00000002.00000001.01000000.00000055.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                              Source: AteraAgent.exe, 0000000C.00000002.1818790542.00000160520A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlz
                              Source: AteraAgent.exe, 0000000C.00000002.1818790542.00000160520A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedRootG4.crllorer
                              Source: AteraAgent.exe, 0000000C.00000002.1819496130.00000160522F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021745093000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175DAA4000.00000002.00000001.01000000.00000055.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                              Source: AteraAgent.exe, 0000000C.00000002.1818790542.000001605204D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1819496130.00000160522F4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1818790542.0000016051FC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1818790542.000001605207C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE18CB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1D68000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1881000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1981000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1C0C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB007BD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00570000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00664000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB009A1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB004AD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00454000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB006AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                              Source: AteraAgent.exe, 0000000C.00000002.1818790542.000001605204D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1818118229.00000160398B9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1818790542.0000016051FF8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2312265733.0000024DF9E20000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1840000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9EBD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1C6B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1BD9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2326587928.0000024DFA6ED000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2327854230.0000024DFA71D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA36B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA280000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9E99000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2248265450.0000024DE0D46000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1BF4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB007BD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00363000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00658000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB003F1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00664000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                              Source: AteraAgent.exe, 0000000C.00000002.1818790542.00000160520A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlEd
                              Source: AteraAgent.exe, 0000000C.00000002.1819496130.0000016052325000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crla
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021745093000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175DAA4000.00000002.00000001.01000000.00000055.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                              Source: AteraAgent.exe, 0000000C.00000002.1818790542.00000160520A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlrlCache
                              Source: AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA2FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                              Source: AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA36B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enu
                              Source: AgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DB65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d17kmd0va0f0mp.cloudfront.net
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB007BD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB006C2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00543000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB0093B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d25btwd9wax8gu.cloudfront.net
                              Source: AgentPackageAgentInformation.exe, 00000012.00000000.1900225335.000001F8FA9C2000.00000002.00000001.01000000.00000016.sdmpString found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
                              Source: AgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DB65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://download.splashtop.com
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: http://download.sysinternals.com/Files/SysinternalsSuite.zip
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: http://download.sysinternals.com/Files/SysinternalsSuitex64.zip
                              Source: AteraAgent.exe, 0000000D.00000002.2248265450.0000024DE0D46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2074096333.000001ED9CF12000.00000002.00000001.01000000.00000025.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: http://learn-powershell.net/2013/02/08/powershell-and-events-object-events/
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2875443921.00000217447C2000.00000002.00000001.01000000.00000050.sdmpString found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.openjdk.java.net/mailman/listinfo
                              Source: rundll32.exe, 00000010.00000002.1868119248.0000000007A07000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1937869439.000001F8FBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.co
                              Source: AgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DB2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://my.splashtop.com
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2071961959.000001ED9CE32000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/dummynamespace/
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2071961959.000001ED9CE32000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2071961959.000001ED9CE32000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/3
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2071961959.000001ED9CE32000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/5
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2071961959.000001ED9CE32000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2071961959.000001ED9CE32000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2071961959.000001ED9CE32000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2071961959.000001ED9CE32000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/T
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: http://nsis.sourceforge.net/Docs/AppendixD.html
                              Source: powershell.exe, 0000001F.00000002.2045208780.000001FC10076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.3053946821.0000027D90072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00845000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digice
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00845000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digice(
                              Source: AteraAgent.exe, 0000000C.00000002.1818790542.000001605204D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/
                              Source: AteraAgent.exe, 0000000C.00000002.1818790542.0000016051FC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
                              Source: AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA36B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA3AB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
                              Source: AteraAgent.exe, 0000000C.00000002.1818790542.000001605204D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1818118229.00000160398B9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1818790542.0000016051FF8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE18CB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2312265733.0000024DF9E20000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1840000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9EBD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1D68000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1C6B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1BD9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2326587928.0000024DFA6ED000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2327854230.0000024DFA71D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1881000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA36B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1981000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA280000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9E99000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1C0C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2248265450.0000024DE0D46000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1BF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2312265733.0000024DF9E20000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1840000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1C6B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1BD9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA36B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA2E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA310000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9E99000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2248265450.0000024DE0D46000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA2FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1937869439.000001F8FBBEC000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1938279305.000002416044F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1938279305.00000241603F7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00363000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2865906697.000002BB77BBE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1840000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9EBD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1C6B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1BD9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2327854230.0000024DFA71D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA36B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00363000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00954000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2905521031.000002BB78966000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00845000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB006EA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021745093000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175DAA4000.00000002.00000001.01000000.00000055.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0K
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021745093000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175DAA4000.00000002.00000001.01000000.00000055.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021745093000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175DAA4000.00000002.00000001.01000000.00000055.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1818790542.0000016051FF8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1840000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1C6B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1BD9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA36B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA310000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00363000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2905521031.000002BB788F2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00954000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2905521031.000002BB78910000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2905521031.000002BB78966000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00845000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB006EA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DBC1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DB47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                              Source: AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA280000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2905521031.000002BB788AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
                              Source: AteraAgent.exe, 0000000C.00000002.1818790542.0000016051FDD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
                              Source: AteraAgent.exe, 0000000C.00000002.1818790542.0000016051FF8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2312265733.0000024DF9E20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7Nfjgt
                              Source: AteraAgent.exe, 0000000C.00000002.1818790542.0000016051FF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
                              Source: AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9EBD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2905521031.000002BB788AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
                              Source: AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9EBD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2865906697.000002BB77C6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://openjdk.java.net/
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://openjdk.java.net/legal/
                              Source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2650363249.000002788DB61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://packagesstore.blob.core.windows.net
                              Source: powershell.exe, 0000002C.00000002.2324809347.0000027D8022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: http://poshcode.org/2513
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: http://poshcode.org/417
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: http://powershell.com/cs/blogs/tips/archive/2009/02/05/validating-a-url.aspx
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB007BD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB006C2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00543000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB0093B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00954000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00842000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB006EA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.atera.com
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1832000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1981000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB0051B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00529000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.pndsn.com
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: http://pwnt.co
                              Source: AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA454000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
                              Source: AteraAgent.exe, 0000000C.00000002.1818118229.00000160398B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
                              Source: AteraAgent.exe, 0000000C.00000002.1818118229.00000160398B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                              Source: AteraAgent.exe, 0000000C.00000002.1818118229.00000160398B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
                              Source: powershell.exe, 0000001F.00000002.1996079006.000001FC0022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2324809347.0000027D8022B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.00000217448B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2071961959.000001ED9CE32000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                              Source: rundll32.exe, 00000004.00000002.1761638743.0000000004831000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1761638743.00000000048D4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1551000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1867277939.0000000005374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1867277939.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1933854948.000001F880079000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1935801016.0000024147AE9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A1873000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A15F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1996079006.000001FC00001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DB11000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2045546102.000001ED8458F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.3270482818.000001A300252000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2324809347.0000027D80006000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002E.00000002.2650363249.000002788DA21000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.00000217448B1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000039.00000002.2442123567.000001C5026C0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 0000003A.00000002.2532274938.000001EBDF6F4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageHeartbeat.exe, 0000003C.00000002.2431955997.000001C800001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5AF57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: powershell.exe, 0000001F.00000002.1996079006.000001FC0022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2324809347.0000027D8022B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.00000217448B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: http://somehwere/something.exe
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: http://somewhere.com/downloads/Install-WindowsImage.ps1
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: http://somewhere.com/downloads/Install-WindowsImagex64.ps1
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: http://stackoverflow.com/a/13571471/18475
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175DA31000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: http://stackoverflow.com/a/15281070/18475
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: http://stackoverflow.com/questions/265339/whats-the-best-way-to-automate-secure-ftp-in-powershell
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: http://stackoverflow.com/questions/518181/too-many-automatic-redirections-were-attempted-error-messa
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175DA31000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: http://stanislavs.org/stopping-command-line-applications-programatically-with-ctrl-c-events-from-net
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: http://stexbar.googlecode.com/files/StExBar-1.8.3.msi
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: http://stexbar.googlecode.com/files/StExBar64-1.8.3.msi
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org
                              Source: rundll32.exeString found in binary or memory: http://wixtoolset.org/
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004960000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.000000000468A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.0000000004775000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004DDB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.000000000478E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004960000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.000000000468A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.0000000004775000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004DDB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.000000000478E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/news/
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004960000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.000000000468A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.0000000004775000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004DDB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.000000000478E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/releases/
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2066515114.000001ED9CBB2000.00000002.00000001.01000000.00000021.sdmp, AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5AD4A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5B261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.abit.com.tw/
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                              Source: powershell.exe, 0000002C.00000002.2324809347.0000027D8022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                              Source: AteraAgent.exe, 0000000D.00000002.2327854230.0000024DFA6F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
                              Source: AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9EBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-int0
                              Source: AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9EBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-std0
                              Source: AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9EBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.defence.gov.au/pki0
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE18CB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1D68000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1881000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1981000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1C0C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB007BD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00570000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00664000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB009A1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB004AD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00454000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB006AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1818790542.000001605204D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1818118229.00000160398B9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1818790542.0000016051FF8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2312265733.0000024DF9E20000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1840000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9EBD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1C6B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1BD9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2326587928.0000024DFA6ED000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2327854230.0000024DFA71D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA36B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA280000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9E99000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2248265450.0000024DE0D46000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1BF4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB007BD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00363000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                              Source: AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9EBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
                              Source: AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9EBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca0f
                              Source: AteraAgent.exe, 0000000D.00000002.2326587928.0000024DFA6ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: http://www.gnu.org/
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: http://www.jeremyskinner.co.uk/2010/03/07/using-git-with-windows-powershell/
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupexitcodes
                              Source: powershell.exe, 0000001F.00000002.2060214065.000001FC690E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                              Source: powershell.exe, 0000001F.00000002.2064140539.000001FC69244000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                              Source: rundll32.exe, 00000010.00000002.1868119248.0000000007A07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
                              Source: AgentPackageAgentInformation.exe, 00000012.00000002.1937869439.000001F8FBC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.nlog-project.org/schemas/NLog.xsd
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/technetwork/java/javase/overview/index.html
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/technetwork/java/javase/terms/license/index.html
                              Source: AteraAgent.exe, 0000000C.00000002.1818118229.00000160398B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                              Source: AteraAgent.exe, 0000000C.00000002.1818118229.00000160398B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.oh
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021745162000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744EC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.or
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://adoptium.net/
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://adoptopenjdk.net/
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://adoptopenjdk.net/kage
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://adoptopenjdk.net/se
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://adoptopenjdk.net/upstream.html.
                              Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A1873000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.P
                              Source: rundll32.exe, 00000004.00000002.1761638743.00000000048D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterD
                              Source: rundll32.exe, 00000010.00000002.1867277939.0000000005374000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterDf
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1551000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1881000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1981000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1867277939.0000000005374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1867277939.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004DDB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1933854948.000001F880079000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1935801016.0000024147AE9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A1873000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A17AB000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A1687000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A15F1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A1845000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2045546102.000001ED8458F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.3270482818.000001A300252000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744F89000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.000000000478E000.00000004.00000020.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000039.00000002.2442123567.000001C5026C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004960000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1761638743.0000000004831000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.000000000468A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1761638743.00000000048D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.0000000004775000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1867277939.0000000005374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1867277939.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004DDB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.000000000478E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/
                              Source: AgentPackageAgentInformation.exe, 00000012.00000002.1933854948.000001F880079000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1935801016.0000024147AE9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A17AB000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A1687000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A1845000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744F89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004960000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1761638743.0000000004831000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.000000000468A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1761638743.00000000048D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.0000000004775000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1832000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1981000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1867277939.0000000005374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1867277939.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004DDB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.000000000478E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1981000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1600000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
                              Source: AgentPackageAgentInformation.exe, 00000012.00000002.1933854948.000001F880079000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1935801016.0000024147AE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1600000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1551000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1551000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00080000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages.
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/Trace
                              Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A1873000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/
                              Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A1873000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.3270482818.000001A300252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/script-based
                              Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A15F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/script-basedxD/
                              Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A1687000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/guiCommandResult
                              Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A17AB000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A1845000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744F89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/recurringCommandResult
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2045546102.000001ED8458F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/thresholds/129f3953-acb3-4c59-97d2-68ee1acc4037
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2045546102.000001ED8458F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/thresholds/129f3953-acb3-4c59-97d2-68ee1acc4037P
                              Source: rundll32.exe, 00000004.00000002.1761638743.0000000004831000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1761638743.00000000048D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1867277939.0000000005374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1867277939.00000000052D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
                              Source: rundll32.exe, 00000004.00000002.1761638743.0000000004916000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1867277939.00000000053B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event;
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3294930991.000001A368234000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/es
                              Source: AteraAgent.exe, 0000001A.00000002.2905521031.000002BB78966000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?
                              Source: AteraAgent.exe, 0000001A.00000002.2905521031.000002BB78966000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?You
                              Source: AteraAgent.exe, 0000001A.00000002.2905521031.000002BB78966000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
                              Source: AteraAgent.exe, 0000001A.00000002.2905521031.000002BB78966000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet/app-launch-failed&gui=trueShowing
                              Source: powershell.exe, 0000001F.00000002.1996079006.000001FC00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2324809347.0000027D80006000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                              Source: powershell.exe, 0000002C.00000002.2324809347.0000027D8022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                              Source: powershell.exe, 0000001F.00000002.1996079006.000001FC019A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1996079006.000001FC00E63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1996079006.000001FC019C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2324809347.0000027D80E89000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2324809347.0000027D819C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2324809347.0000027D8199F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://asciidoctor.org/
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://asciidoctor.org/docs/user-manual/
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://asciidoctor.zulipchat.com/
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aws.amazon.com/corretto/
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://blog.adoptopenjdk.net/2021/03/transition-to-eclipse-an-update/)
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugs.openjdk.java.net/
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugs.openjdk.java.net/ed
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.jsdelivr.net/gh/IdealChain/chocolatey-packages
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.statically.io/gh/asciidoctor/brand/b9cf5e27/logo/logo-fill-color.svg
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://chocolatey.org).
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744F89000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175DAA4000.00000002.00000001.01000000.00000055.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.00000217448B1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744AF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocolatey.org/compare
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744F89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocolatey.org/compare2/
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744F89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocolatey.org/compareHj~
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744F89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocolatey.org/comparex
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://chocolatey.org/contact.
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocolatey.org/packages/adoptopenjdkjre):
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocolatey.org/packages/jre8)
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744EC0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744C9B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.00000217451AE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.000002174519F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.00000217448B1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744BFE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744AF1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocommunity.atera.com/api/v2/
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744EC0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744A9D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.00000217451AE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocommunity.atera.com/api/v2/$metadata
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744EC0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.00000217451AE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocommunity.atera.com/api/v2/P
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744EC0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.00000217451AE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocommunity.atera.com/api/v2/Search()?$filter=IsApproved
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744EC0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.00000217451AE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744BFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocommunity.atera.com/api/v2/Search()?$filter=IsApproved%20and%20IsLatestVersion&$orderby=D
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021745162000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744EC0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175DAA4000.00000002.00000001.01000000.00000055.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.00000217448B1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744BFE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.000002174513D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021745162000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.00000217448B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/8
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/Temurin11jre/11.0.25.9
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/Temurin17jre/17.0.13.11
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/Temurin8jre/8.432.6
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/Temurinjre/21.0.5.11/com
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/adoptopenjdk11jre/11.0.11.901
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/adoptopenjdk8jre/8.292.10.901
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/adoptopenjdkjre/16.0.1.901
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/asciidoctorj/2.5.13
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/corretto8jre/8.432.6.1S
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/javaruntime-platformspecific/7.0.79.20161125
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/javaruntime/8.0.431
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/josm/19277.0.0
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/jre6/6.0.43ion
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/jre8/8.0.431
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/openjdk11jre/11.0.16.20220913
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/openjdk8jre/8.342.07.20220913port
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/server-jre/8.0.192
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/server-jre8/8.0.202
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/teamcity/2024.12.0
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/Temurin11jre/11.0.25.9
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/Temurin8jre/8.432.6
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/Temurinjre/21.0.5.11
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/adoptopenjdk11jre/11.0.11.901
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/adoptopenjdk8jre/8.292.10.901
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/adoptopenjdkjre/16.0.1.901
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/asciidoctorj/2.5.13
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/corretto8jre/8.432.6.1
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/javaruntime-platformspecific/7.0.79.20161125
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/javaruntime/8.0.431
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/josm/19277.0.0
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/jre6/6.0.43
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/jre8/8.0.431
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/openjdk11jre/11.0.16.20220913
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/openjdk8jre/8.342.07.20220913Zip-
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/server-jre/8.0.192
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/server-jre8/8.0.202
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/teamcity/2024.12.0
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://community.chocolatey.org/packages)
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/TeamCity-OpenJDK8)
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/TeamCity-PreinstalledJRE)
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/Temurin11jre/11.0.25.9
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/Temurin8jre/8.432.6
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/Temurinjre/21.0.5.11
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/adoptopenjdk11jre/11.0.11.901
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/adoptopenjdk8jre/8.292.10.901
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/adoptopenjdkjre/16.0.1.901
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/asciidoctorj/2.5.13
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://community.chocolatey.org/packages/checksum)
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://community.chocolatey.org/packages/checksum.
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/corretto8jre/8.432.6.1
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/javaruntime-platformspecific/7.0.79.20161125
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/javaruntime/8.0.431
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/josm/19277.0.0
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/jre6/6.0.43
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/jre8/8.0.431
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/openjdk11jre/11.0.16.20220913
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/openjdk8jre/8.342.07.20220913
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/server-jre/8.0.192
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/server-jre8/8.0.202
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/teamcity/2024.12.0
                              Source: powershell.exe, 0000002C.00000002.3053946821.0000027D90072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                              Source: powershell.exe, 0000002C.00000002.3053946821.0000027D90072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                              Source: powershell.exe, 0000002C.00000002.3053946821.0000027D90072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://corretto.aws/downloads/resources/8.432.06.1/amazon-corretto-8.432.06.1-windows-x64-jre.msi
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.aws.amazon.com/corretto/
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/create/automatic-packages)
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/features/private-cdn.
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175DAA4000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/guides/create/parse-packageparameters-argument
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://docs.chocolatey.org/en-us/guides/create/parse-packageparameters-argument#step-3---use-core-c
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.jetbrains.com/teamcity/TeamCity-2024.12.tar.gz
                              Source: AgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DB4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.splashtop.com
                              Source: AgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DB2A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DB4B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DB4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.splashtop.com/csrs/Splashtop_Streamer_Win_DEPLOY_INSTALLER_v3.7.2.4.exe
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744AED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744C9B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744BFE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744A99000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744AF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gist.github.com/choco-bot/f1030e762a5265f613412562a94b81d7
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175DA31000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://gist.github.com/jvshahid/6fb2f91fa7fb1db23599
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/AdoptOpenJDK/openjdk-jdk11u/blob/master/LICENSE
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/AdoptOpenJDK/openjdk-jdk16/blob/master/LICENSE
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/AdoptOpenJDK/openjdk-jdk8u/blob/master/LICENSE
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/IdealChain/chocolatey-packages/tree/master/josm
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1840000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1BD9000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1937350765.000001F8FBAC2000.00000002.00000001.01000000.00000019.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2074096333.000001ED9CF12000.00000002.00000001.01000000.00000025.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
                              Source: powershell.exe, 0000002C.00000002.2324809347.0000027D8022B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/adoptium/jdk11u/blob/master/LICENSE
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/adoptium/jdk21/blob/master/LICENSE
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/adoptium/jdk8u/blob/master/LICENSE
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.24%2B8/OpenJDK11U-jre_x86-
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.25%2B9/OpenJDK11U-jre_x64_
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.5%2B11/OpenJDK21U-jre_x64_
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u422-b05/OpenJDK8U-jre_x86-32_wi
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u432-b06/OpenJDK8U-jre_x64_windo
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/ajshastri/chocolatey-packages
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/ajshastri/chocolatey-packages/tree/master/corretto-jre-8
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/asciidoctor/asciidoctorj
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/asciidoctor/asciidoctorj/issues
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://github.com/chocolatey/choco/issues/1800#issuecomment-484293844.
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://github.com/chocolatey/chocolatey
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/chocolatey/chocolatey-coreteampackages
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://github.com/chocolatey/shimgen/tree/master/shim.
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/corretto
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/corretto/corretto-8/blob/develop/LICENSEPNG
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://github.com/dahlbyk/posh-git
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://github.com/dahlbyk/posh-git/blob/1941da2472eb668cde2d6a5fc921d5043a024386/LICENSE.txt
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00845000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00845000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00363000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00363000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://github.com/downloads/spraints/git-tfs/GitTfs-0.11.0.zip
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/flcdrg/au-packages/tree/master/teamcity
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/geraldcombs/chocolatey-packages
                              Source: AteraAgent.exe, 0000000D.00000002.2325257531.0000024DFA5C2000.00000002.00000001.01000000.0000002B.sdmpString found in binary or memory: https://github.com/icsharpcode/SharpZipLib
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/johanjanssen/AdoptOpenJDKChocolateyPackages
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/johanjanssen/ChocolateyPackages/tree/master/OpenJDK11
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/johanjanssen/ChocolateyPackages/tree/master/OpenJDK8
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://github.com/majkinetor/au-packages/commit/bf95d56fe5851ee2e4f6f15f79c1a2877a7950a1
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/nlog/NLog/wiki/Configuration-file#variables
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/nlog/NLog/wiki/Layout-Renderers
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/nlog/NLog/wiki/Targets
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/nlog/nlog/wiki/Configuration-file
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/openjdk/
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/proudcanadianeh/ChocoPackages/tree/master/javaruntime
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/proudcanadianeh/ChocoPackages/tree/master/jre8/master
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/proudcanadianeh/ChocoPackages/tree/master/jre8/master)
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/rgra/choco-packages/tree/master/server-jre
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/rgra/choco-packages/tree/master/server-jre8
                              Source: powershell.exe, 0000001F.00000002.1996079006.000001FC00E63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1996079006.000001FC01D46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2324809347.0000027D80E89000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2324809347.0000027D81D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://josm.openstreetmap.de/
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://josm.openstreetmap.de/browser/josm/trunk
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://josm.openstreetmap.de/browser/trunk/LICENSE
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://josm.openstreetmap.de/download/windows/josm-setup-19277-java21.exe
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://josm.openstreetmap.de/report
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://josm.openstreetmap.de/wiki/Changelog
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://josm.openstreetmap.de/wiki/Help
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lists.openstreetmap.org/listinfo/josm-dev
                              Source: AgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DB11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://my.splashtop.com
                              Source: AgentPackageSTRemote.exe, 00000021.00000000.1966284128.000001545D092000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DA91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://my.splashtop.com/csrs/win
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2071961959.000001ED9CE32000.00000002.00000001.01000000.00000024.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2074018248.000001ED9CF08000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: https://nlog-project.org/
                              Source: powershell.exe, 0000001F.00000002.2045208780.000001FC10076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.3053946821.0000027D90072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                              Source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2650363249.000002788DA21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net
                              Source: AgentPackageMonitoring.exe, 00000023.00000000.1997512285.000001ED83A62000.00000002.00000001.01000000.0000001D.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/BitDefender/rmm.zip
                              Source: AgentPackageUpgradeAgent.exe, 0000002E.00000000.2278180476.000002788CF62000.00000002.00000001.01000000.00000027.sdmp, AgentPackageUpgradeAgent.exe, 0000002E.00000002.2650363249.000002788DA21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric
                              Source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2650363249.000002788DA21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MSI/1.8.7.2/Setupx64.msi
                              Source: AgentPackageUpgradeAgent.exe, 0000002E.00000000.2278180476.000002788CF62000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MacAgent/1.0/AteraAgentInstaller.pkgA/
                              Source: AgentPackageUpgradeAgent.exe, 0000002E.00000000.2278180476.000002788CF62000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric5Get
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB006C2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB006E2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB0093B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB006E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateH
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB007BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateHB
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00840000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateHH
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB006E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateHZ:
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00859000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateHZa
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB0093B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateHZp
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB0083E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateHb
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB007BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateHj
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB006E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateHrW
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateHx
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00543000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/a
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/ag
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE17F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.16/AgentPackage
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE17EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.16/AgentPackageA
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.16/AgentPackageAg
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.16/AgentPackageAge
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE17F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.16/AgentPackageAgentI
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.6/AgentPackageMonitoring.zi
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.8/AgentPackageSTRemote.zip
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.8/AgentPackageSTRemote.ziph
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/2.0/Agent.Package.Watchdog.zip
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE17F8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE17EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/38.8/AgentPackageAgentInformation
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/38.1/AgentPackageMonitoring.zip
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/38.1/AgentPackageMonitoring.ziph
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/24.3/AgentPackageSTRemote.zip
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/24.3/AgentPackageSTRemote.ziph
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesne
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB0022F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00859000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/2.0/Agent.Package.Wat
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/2.0/Agent.Package.Watchdog.zip
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00859000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00543000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB0022F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/2.0/Agent.Package.Watchdog.zip?Hy/oLR
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB0022F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip?Hy/oLRCXSx
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE17F8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE17EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19A2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.8/AgentPackageAgentInformati
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip?Hy/oLR
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip?Hy/o
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19A2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/38.1/AgentPackageMonitoring.zip
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/38.1/AgentPackageMonitoring.zip?Hy/oL
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/38.1/AgentPackageMonitoring.ziph
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/30.3/AgentPackageOsUpdates.zip
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/26.7/AgentPackageProgramManage
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB0022F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19A2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.3/AgentPackageSTRemote.zip
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.3/AgentPackageSTRemote.zip?Hy/oLRCXS
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.3/AgentPackageSTRemote.ziph
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.12/AgentPackageSystemTools.zip
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.12/AgentPackageSystemTools.zip?Hy
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.3/AgentPackageTicketing.zip
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zip
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zip?H
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE17F8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE17EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zip
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zip
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
                              Source: AgentPackageUpgradeAgent.exe, 0000002E.00000000.2278180476.000002788CF62000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: https://ps.atera.com/installers/Agents/Mac/
                              Source: AgentPackageUpgradeAgent.exe, 0000002E.00000000.2278180476.000002788CF62000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: https://ps.atera.com/installers/Agents/Windows/
                              Source: AgentPackageSTRemote.exe, 00000021.00000000.1966284128.000001545D092000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DA91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exe
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.comoups
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1832000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1840000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1981000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1992000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB0051B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00521000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1832000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1840000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1600000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1981000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1992000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB0051B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00521000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00529000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00080000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1e3b7de8-594f-4102-bdac-2cf6f9ecd96b
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1600000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=5cb343d0-677e-4def-8b2c-a922c1821ed6
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00080000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=6ad79070-fd22-430d-b94b-497248ef7cc7
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB0051B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7369b44b-3c8c-44f9-9a12-59fb2620d6a4
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1720000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=742973a8-ddca-4ef6-a73b-0cd081e77234
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9a445d91-3a82-470f-9548-f16cdf271c85
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1981000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b0ffd9cf-e1e9-4167-a045-c0a54af3fb2b
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=fbbc910f-ff71-403b-a3cd-d931e6e04df5
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00529000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00521000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-1
                              Source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00521000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00529000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/129f3953
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscrib
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1992000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/129f3953-acb3-4c59-97d2
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://raw.github.com/ferventcoder/checksum/master/LICENSE
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/JetBrains/Chocolatey/master/TeamCityAddin/logo.png
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/asciidoctor/asciidoctorj/main/LICENSE.txt
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744A95000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rawcdn.githack.com/ajshastri/chocolatey-packages/a698d21b3c63b9ff7e01f442f37cdb7ecf89925a/ic
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.maven.org/remotecontent?filepath=org/asciidoctor/asciidoctorj/2.5.13/asciidoctorj-2.5
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://sevenzip.osdn.jp/chm/general/formats.htm
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://somelocation.com/
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://somelocation.com/thefile.exe
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://somewhere.com/file-x64.msi
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://somewhere.com/file.msi
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://somewhere.com/file.mst
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://somewhere/bob-x64.exe
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpString found in binary or memory: https://somewhere/bob.exe
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744AED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744C9B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744BFE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744A99000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744AF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://switchbar.com/
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2075944227.000001ED9CFD2000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: https://system.data.sqlite.org/
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2077315510.000001ED9D034000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: https://system.data.sqlite.org/X
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://teamcity-support.jetbrains.com/hc/en-us/community/topics
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2075944227.000001ED9CFD2000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: https://urn.to/r/sds_see
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wiki.openjdk.java.net/display/JDKUpdates/JDK11u
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021745093000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175DAA4000.00000002.00000001.01000000.00000055.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.jetbrains.com/help/teamcity/2024.12/teamcity-2024-12-release-notes.html
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.jetbrains.com/teamcity/
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.jetbrains.com/teamcity/buy/
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.jetbrains.com/teamcity/documentation/
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2074096333.000001ED9CF12000.00000002.00000001.01000000.00000025.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2071961959.000001ED9CE32000.00000002.00000001.01000000.00000024.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2074018248.000001ED9CF08000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
                              Source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1840000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1BD9000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1937350765.000001F8FBAC2000.00000002.00000001.01000000.00000019.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2074096333.000001ED9CF12000.00000002.00000001.01000000.00000025.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.oracle.com/technetwork/java/javase/8all-relnotes-2226344.html
                              Source: AgentPackageMonitoring.exeString found in binary or memory: https://www.sqlite.org/copyright.html
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2102831748.00007FFDEE584000.00000002.00000001.01000000.0000001E.sdmpString found in binary or memory: https://www.sqlite.org/copyright.html2
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://youtrack.jetbrains.com/issues/TW
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to dropped file

                              Spam, unwanted Advertisements and Ransom Demands

                              barindex
                              Reads the Security eventlog
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AteraAgent
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AlphaAgent
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AlphaAgent
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AlphaAgent
                              Reads the System eventlog
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AteraAgent
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AteraAgent
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AlphaAgent
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

                              System Summary

                              barindex
                              Malicious sample detected (through community Yara rule)
                              Source: 65.2.AgentPackageADRemote.exe.1a26f8a0000.1.unpack, type: UNPACKEDPEMatched rule: yara_runascs Author: Sekoia.io
                              Source: 35.2.AgentPackageMonitoring.exe.1ed83f10000.1.unpack, type: UNPACKEDPEMatched rule: yara_runascs Author: Sekoia.io
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\55a385.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA4ED.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA82A.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB77D.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBA1E.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBA1F.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBAAC.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBC92.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\55a387.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\55a387.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICE75.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\55a388.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI99A5.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBD0D.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC422.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICC22.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICC71.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICD4D.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICD9C.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE7CC.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE85A.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE926.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE985.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\55a394.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\55a394.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEEE5.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\55a395.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI19EE.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{9C80213E-9079-4561-8D57-1FDD0D62251F}Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1B37.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\55a398.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\55a398.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4025.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\55a399.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI41BC.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{F59C11F0-D73F-452B-8D1D-8C33B82D8507}Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI424A.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\55a39c.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\55a39c.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI446E.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI45C6.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4664.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI46F1.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\55a39f.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4B67.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{362B4D0D-8438-44DA-86B2-FEC44E000FCA}Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4BD5.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\55a3a2.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\55a3a2.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4D8C.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4E96.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4F05.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4F63.tmpJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA4ED.tmp-Jump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA4ED.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA4ED.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA4ED.tmp-\Newtonsoft.Json.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA4ED.tmp-\System.Management.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA4ED.tmp-\CustomAction.configJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA82A.tmp-Jump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA82A.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA82A.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA82A.tmp-\Newtonsoft.Json.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA82A.tmp-\System.Management.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA82A.tmp-\CustomAction.configJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB77D.tmp-
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB77D.tmp-\AlphaControlAgentInstallation.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB77D.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB77D.tmp-\Newtonsoft.Json.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB77D.tmp-\System.Management.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB77D.tmp-\CustomAction.config
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICE75.tmp-
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICE75.tmp-\AlphaControlAgentInstallation.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICE75.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICE75.tmp-\Newtonsoft.Json.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICE75.tmp-\System.Management.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICE75.tmp-\CustomAction.config
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageProgramManagement.exe.log
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI99A5.tmp-
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI99A5.tmp-\AlphaControlAgentInstallation.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI99A5.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI99A5.tmp-\Newtonsoft.Json.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI99A5.tmp-\System.Management.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI99A5.tmp-\CustomAction.config
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageHeartbeat.exe.log
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageADRemote.exe.log
                              Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIA4ED.tmpJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06D476784_3_06D47678
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06D400404_3_06D40040
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_06CB50B85_3_06CB50B8
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_06CB59A85_3_06CB59A8
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_06CB4D685_3_06CB4D68
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B3FC92212_2_00007FFD9B3FC922
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B3FBB7612_2_00007FFD9B3FBB76
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B3FCFB813_2_00007FFD9B3FCFB8
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B3F9AF213_2_00007FFD9B3F9AF2
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B401CF013_2_00007FFD9B401CF0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B60166213_2_00007FFD9B601662
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_0514767816_3_05147678
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_0514004016_3_05140040
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 18_2_00007FFD9B3F836218_2_00007FFD9B3F8362
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 18_2_00007FFD9B3F75B618_2_00007FFD9B3F75B6
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 18_2_00007FFD9B3FBC4018_2_00007FFD9B3FBC40
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 18_2_00007FFD9B3F12FB18_2_00007FFD9B3F12FB
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 18_2_00007FFD9B4106C618_2_00007FFD9B4106C6
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FFD9B3D836219_2_00007FFD9B3D8362
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FFD9B3D75B619_2_00007FFD9B3D75B6
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FFD9B3DBC4019_2_00007FFD9B3DBC40
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FFD9B3D12FB19_2_00007FFD9B3D12FB
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 19_2_00007FFD9B3F06C619_2_00007FFD9B3F06C6
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFD9B4012FA24_2_00007FFD9B4012FA
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B421FA426_2_00007FFD9B421FA4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B40EF6726_2_00007FFD9B40EF67
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B41CEA026_2_00007FFD9B41CEA0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B40EF0726_2_00007FFD9B40EF07
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B41CD8026_2_00007FFD9B41CD80
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B423CB026_2_00007FFD9B423CB0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B41CE3026_2_00007FFD9B41CE30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B41036C26_2_00007FFD9B41036C
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B631BCD26_2_00007FFD9B631BCD
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B62740526_2_00007FFD9B627405
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B6292D026_2_00007FFD9B6292D0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B62127726_2_00007FFD9B621277
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B62D15126_2_00007FFD9B62D151
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B619E9D26_2_00007FFD9B619E9D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B62B71926_2_00007FFD9B62B719
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B61945526_2_00007FFD9B619455
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B6299D126_2_00007FFD9B6299D1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B613E8726_2_00007FFD9B613E87
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B62874826_2_00007FFD9B628748
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B61AE4D26_2_00007FFD9B61AE4D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B400C5826_2_00007FFD9B400C58
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B40C36229_2_00007FFD9B40C362
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B40933229_2_00007FFD9B409332
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B41DAFA29_2_00007FFD9B41DAFA
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B4012FA29_2_00007FFD9B4012FA
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B40D25C29_2_00007FFD9B40D25C
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B41F72829_2_00007FFD9B41F728
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B40858629_2_00007FFD9B408586
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B415B7F29_2_00007FFD9B415B7F
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B42018829_2_00007FFD9B420188
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B40388F29_2_00007FFD9B40388F
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B40070029_2_00007FFD9B400700
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B3F174D33_2_00007FFD9B3F174D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B402CA033_2_00007FFD9B402CA0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B3F84C033_2_00007FFD9B3F84C0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B401C2633_2_00007FFD9B401C26
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B3F528833_2_00007FFD9B3F5288
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B3F531833_2_00007FFD9B3F5318
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE51696035_2_00007FFDEE516960
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE5120E035_2_00007FFDEE5120E0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE5201E035_2_00007FFDEE5201E0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE46B88035_2_00007FFDEE46B880
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3ECEA835_2_00007FFDEE3ECEA8
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE40CE7035_2_00007FFDEE40CE70
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE42AFB035_2_00007FFDEE42AFB0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE47EFD035_2_00007FFDEE47EFD0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F2F8C35_2_00007FFDEE3F2F8C
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE42902035_2_00007FFDEE429020
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE42ACD035_2_00007FFDEE42ACD0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F6CC035_2_00007FFDEE3F6CC0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE514C8035_2_00007FFDEE514C80
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE466D2035_2_00007FFDEE466D20
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4A8D2035_2_00007FFDEE4A8D20
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE530D3035_2_00007FFDEE530D30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE454D0035_2_00007FFDEE454D00
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3E4DB435_2_00007FFDEE3E4DB4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE51CD6035_2_00007FFDEE51CD60
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE440E3035_2_00007FFDEE440E30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4AAA7035_2_00007FFDEE4AAA70
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE428A6035_2_00007FFDEE428A60
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE406A8035_2_00007FFDEE406A80
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE45CB5035_2_00007FFDEE45CB50
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4CAB0035_2_00007FFDEE4CAB00
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE438B9035_2_00007FFDEE438B90
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE48CC0035_2_00007FFDEE48CC00
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4388A035_2_00007FFDEE4388A0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3E28C035_2_00007FFDEE3E28C0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F886035_2_00007FFDEE3F8860
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4A686035_2_00007FFDEE4A6860
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4D691035_2_00007FFDEE4D6910
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE43E99035_2_00007FFDEE43E990
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3E8A3C35_2_00007FFDEE3E8A3C
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE51C68035_2_00007FFDEE51C680
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3FE72035_2_00007FFDEE3FE720
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F273835_2_00007FFDEE3F2738
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE47A7E035_2_00007FFDEE47A7E0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3EE80C35_2_00007FFDEE3EE80C
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4464A035_2_00007FFDEE4464A0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F44DC35_2_00007FFDEE3F44DC
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3EA52435_2_00007FFDEE3EA524
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE46455035_2_00007FFDEE464550
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE43051035_2_00007FFDEE430510
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE49A5D035_2_00007FFDEE49A5D0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE5005D035_2_00007FFDEE5005D0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE51E5B035_2_00007FFDEE51E5B0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3E85D435_2_00007FFDEE3E85D4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4C659035_2_00007FFDEE4C6590
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE49E59035_2_00007FFDEE49E590
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE46060035_2_00007FFDEE460600
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4822B035_2_00007FFDEE4822B0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE40033035_2_00007FFDEE400330
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE48A2F035_2_00007FFDEE48A2F0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4A831035_2_00007FFDEE4A8310
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE40231035_2_00007FFDEE402310
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4840A035_2_00007FFDEE4840A0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE47A0C035_2_00007FFDEE47A0C0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE46C11035_2_00007FFDEE46C110
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE49C22035_2_00007FFDEE49C220
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE45224035_2_00007FFDEE452240
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE463EB035_2_00007FFDEE463EB0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE487EA035_2_00007FFDEE487EA0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE495EA035_2_00007FFDEE495EA0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE47FED035_2_00007FFDEE47FED0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3E7EC035_2_00007FFDEE3E7EC0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE427E7035_2_00007FFDEE427E70
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE419F3035_2_00007FFDEE419F30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE475F2035_2_00007FFDEE475F20
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F7F3035_2_00007FFDEE3F7F30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE43FEF035_2_00007FFDEE43FEF0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4CBCD035_2_00007FFDEE4CBCD0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4BDCC035_2_00007FFDEE4BDCC0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4B7D2035_2_00007FFDEE4B7D20
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE429CF035_2_00007FFDEE429CF0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F5E5035_2_00007FFDEE3F5E50
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE413E1035_2_00007FFDEE413E10
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE415AD035_2_00007FFDEE415AD0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE419A6035_2_00007FFDEE419A60
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE497A6035_2_00007FFDEE497A60
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE447B3035_2_00007FFDEE447B30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE483AF035_2_00007FFDEE483AF0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE429BA035_2_00007FFDEE429BA0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4CDB8035_2_00007FFDEE4CDB80
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE523C2035_2_00007FFDEE523C20
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE40BBE035_2_00007FFDEE40BBE0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4418DA35_2_00007FFDEE4418DA
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE40D91035_2_00007FFDEE40D910
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE44B9F035_2_00007FFDEE44B9F0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4D56D035_2_00007FFDEE4D56D0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE48169035_2_00007FFDEE481690
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE48772035_2_00007FFDEE487720
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4536E035_2_00007FFDEE4536E0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE42D77035_2_00007FFDEE42D770
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE52F79035_2_00007FFDEE52F790
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE43F78035_2_00007FFDEE43F780
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE53184035_2_00007FFDEE531840
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3FD83035_2_00007FFDEE3FD830
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3E74B035_2_00007FFDEE3E74B0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3E347435_2_00007FFDEE3E3474
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3E955C35_2_00007FFDEE3E955C
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE42F63035_2_00007FFDEE42F630
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3ED63435_2_00007FFDEE3ED634
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F564035_2_00007FFDEE3F5640
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE44B64735_2_00007FFDEE44B647
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3ED28435_2_00007FFDEE3ED284
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE47D35035_2_00007FFDEE47D350
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3EF34035_2_00007FFDEE3EF340
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4093D035_2_00007FFDEE4093D0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE47B37035_2_00007FFDEE47B370
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4BF3E035_2_00007FFDEE4BF3E0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE5150F035_2_00007FFDEE5150F0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE44F1B035_2_00007FFDEE44F1B0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3E11B035_2_00007FFDEE3E11B0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE47917035_2_00007FFDEE479170
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE45F22035_2_00007FFDEE45F220
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4F320035_2_00007FFDEE4F3200
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B41D56C35_2_00007FFD9B41D56C
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B42013D35_2_00007FFD9B42013D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B6332A635_2_00007FFD9B6332A6
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B63ADD835_2_00007FFD9B63ADD8
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B7487CD35_2_00007FFD9B7487CD
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B754D9735_2_00007FFD9B754D97
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B753CF135_2_00007FFD9B753CF1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B75C91035_2_00007FFD9B75C910
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B804F8835_2_00007FFD9B804F88
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B9AD3E835_2_00007FFD9B9AD3E8
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B9AA31535_2_00007FFD9B9AA315
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B9A0E6935_2_00007FFD9B9A0E69
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B9B461535_2_00007FFD9B9B4615
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B9A74F435_2_00007FFD9B9A74F4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B9B47A035_2_00007FFD9B9B47A0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFDEE531B70 appears 102 times
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFDEE531D30 appears 114 times
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFDEE5306B0 appears 145 times
                              Source: System.Linq.Queryable.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Web.HttpUtility.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Memory.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Text.Json.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Net.Primitives.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Net.WebProxy.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Diagnostics.Process.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.IO.Compression.ZipFile.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Net.NetworkInformation.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Security.AccessControl.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Collections.Specialized.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Collections.NonGeneric.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Net.Sockets.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.IO.IsolatedStorage.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Runtime.Serialization.Primitives.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Linq.Parallel.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Private.Xml.Linq.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.IO.FileSystem.DriveInfo.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Threading.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.IO.FileSystem.Watcher.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.ComponentModel.Primitives.dll.1.drStatic PE information: No import functions for PE file found
                              Source: Microsoft.VisualBasic.Core.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Private.Uri.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Linq.Expressions.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Data.Common.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Security.Principal.Windows.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Collections.Concurrent.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Net.Mail.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Net.HttpListener.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Runtime.CompilerServices.VisualC.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Diagnostics.TextWriterTraceListener.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.IO.Pipes.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Collections.Immutable.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Net.WebHeaderCollection.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Runtime.InteropServices.JavaScript.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.ComponentModel.Annotations.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Transactions.Local.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Private.DataContractSerialization.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Console.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Runtime.InteropServices.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Threading.Tasks.Dataflow.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Threading.Tasks.Parallel.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Security.Claims.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Net.WebSockets.Client.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Diagnostics.FileVersionInfo.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Text.Encodings.Web.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.IO.MemoryMappedFiles.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.ObjectModel.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Diagnostics.DiagnosticSource.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.Net.Ping.dll.1.drStatic PE information: No import functions for PE file found
                              Source: System.IO.Compression.Brotli.dll.1.drStatic PE information: No import functions for PE file found
                              Source: Microsoft.CSharp.dll.1.drStatic PE information: No import functions for PE file found
                              Source: clretwrc.dll.1.drStatic PE information: No import functions for PE file found
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: Commandline size = 2930
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: Commandline size = 2930
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: Commandline size = 2930
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: Commandline size = 2930
                              Source: 65.2.AgentPackageADRemote.exe.1a26f8a0000.1.unpack, type: UNPACKEDPEMatched rule: yara_runascs author = Sekoia.io, creation_date = 2023-08-23, classification = TLP:CLEAR, version = 1.0, id = 1720f042-2cc6-4ef1-b66c-fe8a4214366a
                              Source: 35.2.AgentPackageMonitoring.exe.1ed83f10000.1.unpack, type: UNPACKEDPEMatched rule: yara_runascs author = Sekoia.io, creation_date = 2023-08-23, classification = TLP:CLEAR, version = 1.0, id = 1720f042-2cc6-4ef1-b66c-fe8a4214366a
                              Source: classification engineClassification label: mal100.troj.spyw.evad.winMSI@117/901@0/15
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA NetworksJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.logJump to behavior
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7212:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8048:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2804:120:WilError_03
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMutant created: \BaseNamedObjects\Global\NLog-FileFileArchiveLock-c:_program files (x86)_atera networks_ateraagent_packages_agentpackageosupdates_log.txt
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7936:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8008:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5592:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7188:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1524:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4444:120:WilError_03
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\GenericDevicesFileLock
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMutant created: \BaseNamedObjects\C__Program Files (x86)_ATERA Networks_AteraAgent_Packages_AgentPackageProgramManagement_logs_chocolatey.log
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: \BaseNamedObjects\Global\Access_ISABUS.HTP.Method
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:940:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8036:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3176:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4476:120:WilError_03
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeMutant created: NULL
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5084:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3720:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7820:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:480:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7312:120:WilError_03
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\SNMPDevicesFileLock
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: \BaseNamedObjects\NLogMutexTester
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: \BaseNamedObjects\Global\NLog-FileFileArchiveLock-c:_program files (x86)_atera networks_ateraagent_packages_agentpackagemonitoring_log.txt
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMutant created: \BaseNamedObjects\Global\{bd59231e-97d1-4fc0-a975-80c3fed498b7}
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMutant created: \BaseNamedObjects\C__Program Files (x86)_ATERA Networks_AteraAgent_Packages_AgentPackageProgramManagement_logs_choco.summary.log
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: \BaseNamedObjects\Global\Access_PCI
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\HttpDevicesFileLock
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7028:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7984:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7876:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7548:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2656:120:WilError_03
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\ServerDevicesFileLock
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF44D96E07E9A5473B.TMPJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                              Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                              Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIA4ED.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5612890 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                              Source: AgentPackageMonitoring.exe, 00000023.00000000.1997512285.000001ED83A62000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: SELECT Identifier, Severity, Timestamp FROM ThresholdDuration WHERE Identifier = @id;kDELETE FROM ThresholdDuration WHERE Identifier = @id;
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2045546102.000001ED8458F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL);p
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2045546102.000001ED8458F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL);p
                              Source: AgentPackageMonitoring.exe, 00000023.00000000.1997512285.000001ED83A62000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: INSERT INTO ThresholdDuration (Identifier,Severity,Timestamp) Values (@identifier, @severity, @timestamp) ON CONFLICT (Identifier) DO UPDATE SET Severity = excluded.Severity, Timestamp = excluded.Timestamp;
                              Source: AgentPackageMonitoring.exe, 00000023.00000000.1997512285.000001ED83A62000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: INSERT INTO [AlertsSent] (Timestamp, Alerts) VALUES (@timestamp, @alerts);kExecuteScriptAsync SystemTools Start scriptGuid : {0}Wrunscriptguid {0} 10 W10= disableSendResult
                              Source: AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5AF57000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO Statistics(Name, Timestamp, Value) Values (@name, @timestamp, @value);
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2045546102.000001ED8458F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5AD4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);
                              Source: AgentPackageMonitoring.exe, 00000023.00000000.1997512285.000001ED83A62000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2045546102.000001ED8458F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS StatisticsSendTime (Id INTEGER PRIMARY KEY,Timestamp BIGINT NOT NULL);
                              Source: AgentPackageMonitoring.exe, 00000023.00000000.1997512285.000001ED83A62000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: INSERT INTO Statistics(Name, Timestamp, Value) Values (@name, @timestamp, @value);%StatisticsSendTime
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2045546102.000001ED8458F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);@
                              Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000023.00000002.2101959263.00007FFDEE53A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                              Source: AgentPackageMonitoring.exe, 00000023.00000000.1997512285.000001ED83A62000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2045546102.000001ED8458F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5AD4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2045546102.000001ED8458F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);@
                              Source: AgentPackageMonitoring.exe, 00000023.00000000.1997512285.000001ED83A62000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2045546102.000001ED8458F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Stub (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL);
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2045546102.000001ED8458F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5AD4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);
                              Source: AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5B200000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO StatisticsSendTime (Timestamp) Values (@timestamp);
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2045546102.000001ED8458F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);@
                              Source: AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5B0B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO [AlertsSent] (Timestamp, Alerts) VALUES (@timestamp, @alerts);
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2101959263.00007FFDEE53A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                              Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000023.00000002.2101959263.00007FFDEE53A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                              Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000023.00000002.2101959263.00007FFDEE53A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                              Source: AgentPackageMonitoring.exe, 00000023.00000000.1997512285.000001ED83A62000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5B121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT Timestamp FROM StatisticsSendTime ORDER BY Timestamp DESC LIMIT 1;
                              Source: AgentPackageMonitoring.exe, 00000023.00000000.1997512285.000001ED83A62000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);sSELECT MAX([Timestamp]) AS [TimeStamp] FROM [AlertsSent];
                              Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000023.00000002.2101959263.00007FFDEE53A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                              Source: AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5B121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT Id, Name, Timestamp, Value FROM Statistics;
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2045546102.000001ED8458F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL);p
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2045546102.000001ED8458F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);@
                              Source: AgentPackageMonitoring.exe, 00000023.00000000.1997512285.000001ED83A62000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: SELECT [Id], [Alerts], [Timestamp] FROM [AlertsSent] ORDER BY [Timestamp] DESC LIMIT 1;
                              Source: AgentPackageMonitoring.exe, 00000023.00000000.1997512285.000001ED83A62000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);/DELETE FROM Statistics;eSELECT Id, Name, Timestamp, Value FROM Statistics;
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2045546102.000001ED8458F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2077564694.000001ED9DCD5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);
                              Source: AgentPackageMonitoring.exe, 00000023.00000000.1997512285.000001ED83A62000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2045546102.000001ED8458F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5AD4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);
                              Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000023.00000002.2101959263.00007FFDEE53A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2045546102.000001ED84A76000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2045546102.000001ED84A76000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;@
                              Source: AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5AF57000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT MAX([Timestamp]) AS [TimeStamp] FROM [AlertsSent];
                              Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000023.00000002.2101959263.00007FFDEE53A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                              Source: AgentPackageMonitoring.exe, 00000023.00000000.1997512285.000001ED83A62000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: select Name from Win32_PerfFormattedData_Tcpip_NetworkInterface!DataStatsEnabled9InboundBandwidthStatsEnabled;OutboundBandwidthStatsEnabled
                              Source: AgentPackageMonitoring.exe, 00000023.00000000.1997512285.000001ED83A62000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5B391000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT Id, IsActive, Timestamp, Name, Thresholds FROM ThresholdsProfiles ORDER BY Timestamp DESC LIMIT 1;
                              Source: XML-702.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
                              Source: XML-702.msiReversingLabs: Detection: 28%
                              Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\XML-702.msi"
                              Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 880080BE1478B06580F06BAFC5D76649
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIA4ED.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5612890 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIA82A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5613656 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIB77D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5617562 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5BF63B3DEC55F2B0AB21F4C24E7E610C E Global\MSI0000
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                              Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="contato@plasticoseireli.com.br" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q3000005bkCOIAY" /AgentId="129f3953-acb3-4c59-97d2-68ee1acc4037"
                              Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSICE75.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5623421 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "dd688ee6-da7a-489a-824e-4b2b8f963f93" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "2e37e1c0-19ef-487a-bbff-8667419be909" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "a2b1d8f6-2f82-4898-80a5-6c64d88ad439" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "c08b9836-612b-4f1a-a9b2-6d15dae1664b" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command " ################################################################################################ # Windows 11 Compatibility Check Script # ################################################################################################ # Compatibility flag $IsCompatible = $true # Check if current OS is Windows 10 $OSVersion = (Get-CimInstance -Class Win32_OperatingSystem).Caption if (-not $OSVersion.Contains('Windows 10')) { return } # Architecture x64 $Arch = (Get-CimInstance -Class CIM_ComputerSystem).SystemType $ArchValue = 'x64-based PC' if ($Arch -ne $ArchValue) { $IsCompatible = $false } # Screen Resolution $ScreenInfo = (Get-CimInstance -ClassName Win32_VideoController).CurrentVerticalResolution $ValueMin = 720 if ($ScreenInfo -le $ValueMin) { $IsCompatible = $false } # CPU composition $Core = (Get-CimInstance -Class CIM_Processor | Select-Object *).NumberOfCores $CoreValue = 2 $Frequency = (Get-CimInstance -Class CIM_Processor | Select-Object *).MaxClockSpeed $FrequencyValue = 1000 if (-not (($Core -ge $CoreValue) -and ($Frequency -ge $FrequencyValue))) { $IsCompatible = $false } # TPM $TPM2 = $false if ((Get-Tpm).ManufacturerVersionFull20) { $TPM2 = -not (Get-Tpm).ManufacturerVersionFull20.Contains('not supported') } if ($TPM2 -contains $false) { $IsCompatible = $false } # Secure Boot $SecureBoot = Confirm-SecureBootUEFI if ($SecureBoot -ne $true) { $IsCompatible = $false } # RAM available $Memory = (Get-CimInstance -Class CIM_ComputerSystem).TotalPhysicalMemory $SetMinMemory = 4294967296 if ($Memory -lt $SetMinMemory) { $IsCompatible = $false } # Storage available $ListDisk = Get-CimInstance -Class Win32_LogicalDisk | Where-Object { $_.DriveType -eq '3' } $SetMinSizeLimit = 64GB $DiskCompatible = $false foreach ($Disk in $ListDisk) { if ($Disk.FreeSpace -ge $SetMinSizeLimit) { $DiskCompatible = $true } } if (-not $DiskCompatible) { $IsCompatible = $false } # Output final result $IsCompatible "
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "73baa492-8131-47bd-aef7-ff6f586897ca" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "83a39b31-6e02-450c-883e-7bcfe5037852" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                              Source: unknownProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k smphost
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "ad826f4a-bdf2-4b7c-85be-2ce6747e9604" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command " ################################################################################################ # Windows 11 Compatibility Check Script # ################################################################################################ # Compatibility flag $IsCompatible = $true # Check if current OS is Windows 10 $OSVersion = (Get-CimInstance -Class Win32_OperatingSystem).Caption if (-not $OSVersion.Contains('Windows 10')) { return } # Architecture x64 $Arch = (Get-CimInstance -Class CIM_ComputerSystem).SystemType $ArchValue = 'x64-based PC' if ($Arch -ne $ArchValue) { $IsCompatible = $false } # Screen Resolution $ScreenInfo = (Get-CimInstance -ClassName Win32_VideoController).CurrentVerticalResolution $ValueMin = 720 if ($ScreenInfo -le $ValueMin) { $IsCompatible = $false } # CPU composition $Core = (Get-CimInstance -Class CIM_Processor | Select-Object *).NumberOfCores $CoreValue = 2 $Frequency = (Get-CimInstance -Class CIM_Processor | Select-Object *).MaxClockSpeed $FrequencyValue = 1000 if (-not (($Core -ge $CoreValue) -and ($Frequency -ge $FrequencyValue))) { $IsCompatible = $false } # TPM $TPM2 = $false if ((Get-Tpm).ManufacturerVersionFull20) { $TPM2 = -not (Get-Tpm).ManufacturerVersionFull20.Contains('not supported') } if ($TPM2 -contains $false) { $IsCompatible = $false } # Secure Boot $SecureBoot = Confirm-SecureBootUEFI if ($SecureBoot -ne $true) { $IsCompatible = $false } # RAM available $Memory = (Get-CimInstance -Class CIM_ComputerSystem).TotalPhysicalMemory $SetMinMemory = 4294967296 if ($Memory -lt $SetMinMemory) { $IsCompatible = $false } # Storage available $ListDisk = Get-CimInstance -Class Win32_LogicalDisk | Where-Object { $_.DriveType -eq '3' } $SetMinSizeLimit = 64GB $DiskCompatible = $false foreach ($Disk in $ListDisk) { if ($Disk.FreeSpace -ge $SetMinSizeLimit) { $DiskCompatible = $true } } if (-not $DiskCompatible) { $IsCompatible = $false } # Output final result $IsCompatible "
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "01be1e33-edd2-4b80-ad30-0a2ff62d8a90" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "bb91c3ae-13a9-46d3-b7cd-8a12a2b5a6f8" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "337a6611-035b-4530-8875-95d63c915d31" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 710833DCD7A2D76742D801FD4C065DF0 E Global\MSI0000
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI99A5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5675609 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "5898f009-0c88-42d0-af0f-4e5a5d40fd4a" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "898b7d78-f877-4008-88ae-7d7cecc198d8" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "6f5a73d1-06cd-46b4-86b8-fdba5613e7c2" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q3000005bkCOIAY
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "d73a02c6-2491-46af-96a3-8578313e700f" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "49f83d36-063d-4873-a1b6-871acf3a8149" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 880080BE1478B06580F06BAFC5D76649Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5BF63B3DEC55F2B0AB21F4C24E7E610C E Global\MSI0000Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="contato@plasticoseireli.com.br" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q3000005bkCOIAY" /AgentId="129f3953-acb3-4c59-97d2-68ee1acc4037"Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 710833DCD7A2D76742D801FD4C065DF0 E Global\MSI0000Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIA4ED.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5612890 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentIdJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIA82A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5613656 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStartJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIB77D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5617562 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallationJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSICE75.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5623421 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEndJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                              Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "dd688ee6-da7a-489a-824e-4b2b8f963f93" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "2e37e1c0-19ef-487a-bbff-8667419be909" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "a2b1d8f6-2f82-4898-80a5-6c64d88ad439" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "c08b9836-612b-4f1a-a9b2-6d15dae1664b" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "73baa492-8131-47bd-aef7-ff6f586897ca" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "83a39b31-6e02-450c-883e-7bcfe5037852" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "ad826f4a-bdf2-4b7c-85be-2ce6747e9604" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "01be1e33-edd2-4b80-ad30-0a2ff62d8a90" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "bb91c3ae-13a9-46d3-b7cd-8a12a2b5a6f8" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "337a6611-035b-4530-8875-95d63c915d31" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "5898f009-0c88-42d0-af0f-4e5a5d40fd4a" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "898b7d78-f877-4008-88ae-7d7cecc198d8" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "6f5a73d1-06cd-46b4-86b8-fdba5613e7c2" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "d73a02c6-2491-46af-96a3-8578313e700f" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "49f83d36-063d-4873-a1b6-871acf3a8149" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command " ################################################################################################ # Windows 11 Compatibility Check Script # ################################################################################################ # Compatibility flag $IsCompatible = $true # Check if current OS is Windows 10 $OSVersion = (Get-CimInstance -Class Win32_OperatingSystem).Caption if (-not $OSVersion.Contains('Windows 10')) { return } # Architecture x64 $Arch = (Get-CimInstance -Class CIM_ComputerSystem).SystemType $ArchValue = 'x64-based PC' if ($Arch -ne $ArchValue) { $IsCompatible = $false } # Screen Resolution $ScreenInfo = (Get-CimInstance -ClassName Win32_VideoController).CurrentVerticalResolution $ValueMin = 720 if ($ScreenInfo -le $ValueMin) { $IsCompatible = $false } # CPU composition $Core = (Get-CimInstance -Class CIM_Processor | Select-Object *).NumberOfCores $CoreValue = 2 $Frequency = (Get-CimInstance -Class CIM_Processor | Select-Object *).MaxClockSpeed $FrequencyValue = 1000 if (-not (($Core -ge $CoreValue) -and ($Frequency -ge $FrequencyValue))) { $IsCompatible = $false } # TPM $TPM2 = $false if ((Get-Tpm).ManufacturerVersionFull20) { $TPM2 = -not (Get-Tpm).ManufacturerVersionFull20.Contains('not supported') } if ($TPM2 -contains $false) { $IsCompatible = $false } # Secure Boot $SecureBoot = Confirm-SecureBootUEFI if ($SecureBoot -ne $true) { $IsCompatible = $false } # RAM available $Memory = (Get-CimInstance -Class CIM_ComputerSystem).TotalPhysicalMemory $SetMinMemory = 4294967296 if ($Memory -lt $SetMinMemory) { $IsCompatible = $false } # Storage available $ListDisk = Get-CimInstance -Class Win32_LogicalDisk | Where-Object { $_.DriveType -eq '3' } $SetMinSizeLimit = 64GB $DiskCompatible = $false foreach ($Disk in $ListDisk) { if ($Disk.FreeSpace -ge $SetMinSizeLimit) { $DiskCompatible = $true } } if (-not $DiskCompatible) { $IsCompatible = $false } # Output final result $IsCompatible "
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: unknown unknown
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command " ################################################################################################ # Windows 11 Compatibility Check Script # ################################################################################################ # Compatibility flag $IsCompatible = $true # Check if current OS is Windows 10 $OSVersion = (Get-CimInstance -Class Win32_OperatingSystem).Caption if (-not $OSVersion.Contains('Windows 10')) { return } # Architecture x64 $Arch = (Get-CimInstance -Class CIM_ComputerSystem).SystemType $ArchValue = 'x64-based PC' if ($Arch -ne $ArchValue) { $IsCompatible = $false } # Screen Resolution $ScreenInfo = (Get-CimInstance -ClassName Win32_VideoController).CurrentVerticalResolution $ValueMin = 720 if ($ScreenInfo -le $ValueMin) { $IsCompatible = $false } # CPU composition $Core = (Get-CimInstance -Class CIM_Processor | Select-Object *).NumberOfCores $CoreValue = 2 $Frequency = (Get-CimInstance -Class CIM_Processor | Select-Object *).MaxClockSpeed $FrequencyValue = 1000 if (-not (($Core -ge $CoreValue) -and ($Frequency -ge $FrequencyValue))) { $IsCompatible = $false } # TPM $TPM2 = $false if ((Get-Tpm).ManufacturerVersionFull20) { $TPM2 = -not (Get-Tpm).ManufacturerVersionFull20.Contains('not supported') } if ($TPM2 -contains $false) { $IsCompatible = $false } # Secure Boot $SecureBoot = Confirm-SecureBootUEFI if ($SecureBoot -ne $true) { $IsCompatible = $false } # RAM available $Memory = (Get-CimInstance -Class CIM_ComputerSystem).TotalPhysicalMemory $SetMinMemory = 4294967296 if ($Memory -lt $SetMinMemory) { $IsCompatible = $false } # Storage available $ListDisk = Get-CimInstance -Class Win32_LogicalDisk | Where-Object { $_.DriveType -eq '3' } $SetMinSizeLimit = 64GB $DiskCompatible = $false foreach ($Disk in $ListDisk) { if ($Disk.FreeSpace -ge $SetMinSizeLimit) { $DiskCompatible = $true } } if (-not $DiskCompatible) { $IsCompatible = $false } # Output final result $IsCompatible "
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI99A5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5675609 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                              Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: winsta.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dll
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dll
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dll
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dll
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dll
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dll
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: uxtheme.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: riched20.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: usp10.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msls31.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: apphelp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: napinsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: pnrpnsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wshbth.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: nlaapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winrnr.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: napinsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: pnrpnsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wshbth.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: nlaapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winrnr.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: napinsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: pnrpnsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wshbth.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: nlaapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winrnr.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wscapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: urlmon.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iertutil.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: srvcli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: netutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wtsapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winsta.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: devobj.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: tpmcoreprovisioning.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: certenroll.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: devobj.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: certca.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsparse.dll
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: tbs.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: apphelp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile written: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\sharedJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.AppJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.IsolatedStorage.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Compression.ZipFile.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.Encodings.Web.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.FileVersionInfo.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Memory.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Ping.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Configuration.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Collections.Immutable.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\coreclr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Web.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Transactions.Local.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Tasks.Extensions.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Mail.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.DiagnosticSource.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Web.HttpUtility.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.VisualBasic.Core.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Timer.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.HttpListener.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.Win32.Primitives.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\clretwrc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.CSharp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Claims.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.Xml.Linq.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.NETCore.App.runtimeconfig.jsonJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ObjectModel.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Collections.NonGeneric.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.SecureString.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Extensions.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Compression.FileSystem.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.DataContractSerialization.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Overlapped.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Thread.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.Process.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Primitives.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.InteropServices.JavaScript.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.Tools.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Numerics.Vectors.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XmlDocument.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.WebHeaderCollection.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Buffers.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.Uri.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.DataAnnotations.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XDocument.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.AccessControl.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.Annotations.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.InteropServices.RuntimeInformation.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.TextWriterTraceListener.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Pipes.AccessControl.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Primitives.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Collections.Concurrent.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ServiceProcess.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\mscordaccore.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.Debug.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Data.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.WebSockets.Client.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Linq.Queryable.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Globalization.Calendars.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Linq.Expressions.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Tasks.Dataflow.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.Json.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Loader.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.NetworkInformation.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Linq.Parallel.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.Primitives.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Console.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Tasks.Parallel.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.FileSystem.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ServiceModel.Web.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Data.Common.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Principal.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.ReaderWriter.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\mscordbi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.Json.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Pipes.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Resources.ResourceManager.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.FileSystem.DriveInfo.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Primitives.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Csp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Principal.Windows.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.CompilerServices.Unsafe.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XmlSerializer.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Emit.ILGeneration.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Tasks.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Compression.Brotli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.WebProxy.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.FileSystem.Watcher.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.Primitives.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.InteropServices.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.CompilerServices.VisualC.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.Xml.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Windows.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\mscorlib.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Collections.Specialized.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Sockets.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Resources.Reader.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ValueTuple.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.MemoryMappedFiles.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Globalization.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XPath.XDocument.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Security.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.Encoding.Extensions.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Formats.Asn1.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.FileSystem.Primitives.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.NameResolution.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.StackTrace.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Drawing.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.DiaSymReader.Native.amd64.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\hostpolicy.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.ServicePoint.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.VisualBasic.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\WindowsBase.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\clrjit.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\mscordaccore_amd64_amd64_8.0.1124.51707.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.ThreadPool.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Intrinsics.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Quic.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Transactions.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Channels.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Numerics.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Metadata.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.AppContext.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Dynamic.Runtime.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Formats.Tar.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Http.Json.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.Tracing.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Globalization.Extensions.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Emit.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.TypeConverter.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Linq.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Compression.Native.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.CoreLib.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Cng.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.UnmanagedMemoryStream.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Collections.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XPath.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Data.DataSetExtensions.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.WebClient.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.EventBasedAsync.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Algorithms.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Handles.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.WebSockets.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.RegularExpressions.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.Win32.Registry.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\createdump.exeJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Compression.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.Formatters.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Drawing.Primitives.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.FileSystem.AccessControl.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Emit.Lightweight.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\mscorrc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.Encoding.CodePages.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Http.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.Xml.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\.versionJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Extensions.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Numerics.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Requests.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.TypeExtensions.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.DispatchProxy.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.Encoding.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.Serialization.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Resources.Writer.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.TraceSource.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\netstandard.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.NETCore.App.deps.jsonJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Encoding.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Core.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.X509Certificates.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.Contracts.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.OpenSsl.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.Linq.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\clrgc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\msquic.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\hostJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxrJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxr\8.0.11Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxr\8.0.11\hostfxr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\dotnet.exeJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\LICENSE.txtJump to behavior
                              Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\ThirdPartyNotices.txtJump to behavior
                              Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                              Source: XML-702.msiStatic file information: File size 2994176 > 1048576
                              Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000023.00000002.2067391884.000001ED9CC02000.00000002.00000001.01000000.00000022.sdmp
                              Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2633277895.000002788D93C000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: AgentPackageOsUpdates.exe, 0000003A.00000002.2721408614.000001EBF7F92000.00000002.00000001.01000000.0000004A.sdmp
                              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2633277895.000002788D93C000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb8 source: AgentPackageAgentInformation.exe, 00000012.00000000.1900225335.000001F8FA9C2000.00000002.00000001.01000000.00000016.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000C.00000000.1785622783.0000016037B32000.00000002.00000001.01000000.0000000F.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000013.00000002.1935279763.0000024147522000.00000002.00000001.01000000.00000018.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2863025472.0000021744632000.00000002.00000001.01000000.0000004F.sdmp, AgentPackageHeartbeat.exe, 0000003C.00000002.2482061773.000001C876972000.00000002.00000001.01000000.00000039.sdmp
                              Source: Binary string: mscorlib.pdbVd" source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2633277895.000002788D900000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb@ source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2633277895.000002788D93C000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000000.2278180476.000002788CF62000.00000002.00000001.01000000.00000027.sdmp
                              Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000023.00000002.2075944227.000001ED9CFD2000.00000002.00000001.01000000.00000026.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbd source: AgentPackageUpgradeAgent.exe, 0000002E.00000000.2278180476.000002788CF62000.00000002.00000001.01000000.00000027.sdmp
                              Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2071961959.000001ED9CE32000.00000002.00000001.01000000.00000024.sdmp
                              Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2044948171.000001ED84442000.00000002.00000001.01000000.00000020.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdbSHA256G source: AgentPackageInternalPoller.exe, 00000039.00000002.2441143442.000001C502652000.00000002.00000001.01000000.00000035.sdmp
                              Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net6.0-Release/System.Diagnostics.EventLog.pdbSHA256 source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: C:\Windows\AgentPackageUpgradeAgent.pdbpdbent.pdb| source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2633277895.000002788D93C000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: dows\dll\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2633277895.000002788D93C000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00363000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb8 source: AgentPackageProgramManagement.exe, 00000034.00000002.2863025472.0000021744632000.00000002.00000001.01000000.0000004F.sdmp
                              Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdbSHA256 source: AgentPackageInternalPoller.exe, 00000039.00000002.2513871294.000001C51AF72000.00000002.00000001.01000000.0000003E.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000003.00000003.1719314198.0000000004960000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.000000000468A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.0000000004775000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004DDB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.000000000478E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb-a source: AgentPackageADRemote.exe, 00000041.00000002.2472321285.000001A26F8A2000.00000002.00000001.01000000.00000036.sdmp
                              Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: AteraAgent.exe, 0000001A.00000002.2905521031.000002BB78966000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\A\_work\39\s\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net45\System.Runtime.InteropServices.RuntimeInformation.pdb source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000C.00000000.1785622783.0000016037B32000.00000002.00000001.01000000.0000000F.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageADRemote\AgentPackageADRemote\obj\Release\AgentPackageADRemote.pdb source: AgentPackageADRemote.exe, 00000041.00000000.2371571451.000001A26F542000.00000002.00000001.01000000.00000033.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb!_;_ -__CorDllMainmscoree.dll source: AgentPackageOsUpdates.exe, 0000003A.00000002.2520013020.000001EBDEFA2000.00000002.00000001.01000000.00000041.sdmp
                              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00845000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdb source: AgentPackageOsUpdates.exe, 0000003A.00000002.2712671371.000001EBF7DC2000.00000002.00000001.01000000.00000047.sdmp
                              Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdbd source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2633277895.000002788D93C000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageInternalPoller\AgentPackageInternalPoller\obj\Release\AgentPackageInternalPoller.pdb source: AgentPackageInternalPoller.exe, 00000039.00000000.2350687897.000001C501D32000.00000002.00000001.01000000.0000002E.sdmp
                              Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000D.00000002.2325257531.0000024DFA5C2000.00000002.00000001.01000000.0000002B.sdmp
                              Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000D.00000002.2325257531.0000024DFA5C2000.00000002.00000001.01000000.0000002B.sdmp
                              Source: Binary string: \REGISTRY\USER\S-1-5-18ll\mscorlib.pdb source: AgentPackageOsUpdates.exe, 0000003A.00000002.2679052691.000001EBF7CCD000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2074096333.000001ED9CF12000.00000002.00000001.01000000.00000025.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2071374320.000001ED9CDB2000.00000002.00000001.01000000.00000023.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\AgentPackageProgramManagement\obj\Release\AgentPackageProgramManagement.pdb source: AgentPackageProgramManagement.exe, 00000034.00000000.2315651131.0000021743E12000.00000002.00000001.01000000.0000002A.sdmp
                              Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000023.00000002.2071961959.000001ED9CE32000.00000002.00000001.01000000.00000024.sdmp
                              Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net6.0-Release/System.Diagnostics.EventLog.pdb source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\ThirdPartyPackageManager\obj\Release\ThirdPartyPackageManager.pdb source: AgentPackageProgramManagement.exe, 00000034.00000002.2860890120.0000021744182000.00000002.00000001.01000000.0000004E.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 00000012.00000000.1900225335.000001F8FA9C2000.00000002.00000001.01000000.00000016.sdmp
                              Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2067391884.000001ED9CC02000.00000002.00000001.01000000.00000022.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdbb source: AgentPackageMonitoring.exe, 00000023.00000000.1997512285.000001ED83A62000.00000002.00000001.01000000.0000001D.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000003.00000003.1719314198.0000000004960000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.000000000468A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.0000000004775000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004DDB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.000000000478E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2596216514.000000D011593000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1840000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1BD9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1937350765.000001F8FBAC2000.00000002.00000001.01000000.00000019.sdmp
                              Source: Binary string: ]c:\borrar\EmptyDll\Release\EmptyDll.pdb source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175DAA4000.00000002.00000001.01000000.00000055.sdmp
                              Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256~ source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00363000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000003.00000003.1719314198.0000000004991000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.00000000046BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.00000000047A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1840000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1BD9000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000012.00000002.1937350765.000001F8FBAC2000.00000002.00000001.01000000.00000019.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2074096333.000001ED9CF12000.00000002.00000001.01000000.00000025.sdmp, rundll32.exe, 00000038.00000003.2348129433.00000000047BF000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2801505651.00000278A61A2000.00000002.00000001.01000000.0000004C.sdmp
                              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00845000.00000004.00000800.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdbTlnl `l_CorExeMainmscoree.dll source: AgentPackageTicketing.exe, 00000031.00000000.2306992769.000002B19E262000.00000002.00000001.01000000.00000028.sdmp
                              Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbiiiGCTL source: AteraAgent.exe, 0000001A.00000002.2905521031.000002BB78966000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2801505651.00000278A61A2000.00000002.00000001.01000000.0000004C.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates\obj\Release\AgentPackageOsUpdates.pdb source: AgentPackageOsUpdates.exe, 0000003A.00000000.2357284880.000001EBDEB32000.00000002.00000001.01000000.00000031.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AgentPackageMonitoring.exe, 00000023.00000000.1997512285.000001ED83A62000.00000002.00000001.01000000.0000001D.sdmp
                              Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2633277895.000002788D8F2000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB0xY source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2596216514.000000D011593000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2596216514.000000D011593000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdb source: AgentPackageInternalPoller.exe, 00000039.00000002.2513871294.000001C51AF72000.00000002.00000001.01000000.0000003E.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb source: AgentPackageADRemote.exe, 00000041.00000002.2472321285.000001A26F8A2000.00000002.00000001.01000000.00000036.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageHeartbeat\AgentPackageHeartbeat\obj\Release\AgentPackageHeartbeat.pdb source: AgentPackageHeartbeat.exe, 0000003C.00000000.2360977193.000001C876612000.00000002.00000001.01000000.00000032.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb4X source: AgentPackageHeartbeat.exe, 0000003C.00000002.2482061773.000001C876972000.00000002.00000001.01000000.00000039.sdmp
                              Source: Binary string: c:\borrar\EmptyDll\Release\EmptyDll.pdb source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175DAA4000.00000002.00000001.01000000.00000055.sdmp
                              Source: Binary string: C:\buildAgent\work\1b72bc6dac87fa71\code_drop\merge\chocolatey.pdb source: AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175DAA4000.00000002.00000001.01000000.00000055.sdmp
                              Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdbSHA256I5 source: AgentPackageOsUpdates.exe, 0000003A.00000002.2712671371.000001EBF7DC2000.00000002.00000001.01000000.00000047.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000003.00000003.1719314198.0000000004960000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1730020662.000000000468A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1764369780.0000000004775000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1823152124.0000000004DDB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000038.00000003.2348129433.000000000478E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000023.00000002.2044948171.000001ED84442000.00000002.00000001.01000000.00000020.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000013.00000002.1935279763.0000024147522000.00000002.00000001.01000000.00000018.sdmp
                              Source: Binary string: PC:\Windows\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2596216514.000000D011593000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: pC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2596216514.000000D011593000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\symbols\exe\AgentPackageUpgradeAgent.pdb7 source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2633277895.000002788D93C000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: mscorlib.pdb source: AgentPackageOsUpdates.exe, 0000003A.00000002.2738724313.000001EBF8150000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2101959263.00007FFDEE53A000.00000002.00000001.01000000.0000001E.sdmp, AgentPackageMonitoring.exe, 0000003E.00000002.3119400681.00007FFDF34FC000.00000002.00000001.01000000.0000001E.sdmp
                              Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000C.00000002.1819255706.00000160520C2000.00000002.00000001.01000000.00000011.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb source: AgentPackageOsUpdates.exe, 0000003A.00000002.2520013020.000001EBDEFA2000.00000002.00000001.01000000.00000041.sdmp
                              Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000C.00000002.1819255706.00000160520C2000.00000002.00000001.01000000.00000011.sdmp
                              Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2075944227.000001ED9CFD2000.00000002.00000001.01000000.00000026.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdb source: AgentPackageInternalPoller.exe, 00000039.00000002.2441143442.000001C502652000.00000002.00000001.01000000.00000035.sdmp
                              Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2596216514.000000D011593000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbdeAgent.pdbx source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2596216514.000000D011593000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb source: AgentPackageTicketing.exe, 00000031.00000000.2306992769.000002B19E262000.00000002.00000001.01000000.00000028.sdmp
                              Source: System.Security.Cryptography.X509Certificates.dll.1.drStatic PE information: 0xB3F7D44B [Sat Sep 5 08:03:23 2065 UTC]
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F1910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,35_2_00007FFDEE3F1910
                              Source: msquic.dll.1.drStatic PE information: section name: _RDATA
                              Source: coreclr.dll.1.drStatic PE information: section name: .CLR_UEF
                              Source: coreclr.dll.1.drStatic PE information: section name: .didat
                              Source: coreclr.dll.1.drStatic PE information: section name: Section
                              Source: coreclr.dll.1.drStatic PE information: section name: _RDATA
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06C557B8 push es; ret 4_3_06C55840
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06C54E90 push es; ret 4_3_06C54EA0
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06C53439 push esi; retf 0006h4_3_06C5343A
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06C5D1A1 push es; ret 4_3_06C5D1B0
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06C5DDC0 push es; ret 4_3_06C5DDD0
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06C558D1 push es; ret 4_3_06C558E0
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06C558F0 push es; ret 4_3_06C55900
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06C558B0 push es; ret 4_3_06C558C0
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06C55910 push es; ret 4_3_06C55920
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06D43609 push esp; iretd 4_3_06D4360A
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06D4360B push esp; iretd 4_3_06D4360E
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06D484A1 push es; ret 4_3_06D484B0
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06D41438 push esp; iretd 4_3_06D41439
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06D432E1 push ecx; iretd 4_3_06D432E2
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06D44ECF push dword ptr [esp+ecx*2-75h]; ret 4_3_06D44ED3
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06D43A78 push edi; iretd 4_3_06D43A7A
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06D43B79 push edi; iretd 4_3_06D43B7A
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06D418FB push es; ret 4_3_06D41900
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06D439B9 push edi; iretd 4_3_06D439BA
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06D439BB push esi; iretd 4_3_06D439C2
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_06CB246F push esi; retf 0006h5_3_06CB247A
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_06CB23A9 push ebp; retf 0006h5_3_06CB23AA
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B605BD8 push eax; ret 13_2_00007FFD9B605C34
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B60158C push eax; ret 13_2_00007FFD9B6015A4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B600871 push eax; ret 13_2_00007FFD9B600894
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_05144ECF push dword ptr [esp+ecx*2-75h]; ret 16_3_05144ED3
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 18_2_00007FFD9B407AFE push ss; ret 18_2_00007FFD9B407C17
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 18_2_00007FFD9B3F9680 push ss; ret 18_2_00007FFD9B407C17
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 18_2_00007FFD9B3FD555 push cs; retf 18_2_00007FFD9B3FD83F
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 18_2_00007FFD9B3F00BD pushad ; iretd 18_2_00007FFD9B3F00C1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 18_2_00007FFD9B3FD7B0 push cs; retf 18_2_00007FFD9B3FD83F
                              Source: Microsoft.VisualBasic.Core.dll.1.drStatic PE information: section name: .text entropy: 6.80183570521227
                              Source: System.Collections.Concurrent.dll.1.drStatic PE information: section name: .text entropy: 6.831761822928079
                              Source: System.Linq.Parallel.dll.1.drStatic PE information: section name: .text entropy: 6.816032788074863

                              Persistence and Installation Behavior

                              barindex
                              Creates files in the system32 config directory
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageProgramManagement.exe.log
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageHeartbeat.exe.log
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageADRemote.exe.log
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE926.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Algorithms.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Cng.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: 55a392.rbf (copy)Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA4ED.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.AccessControl.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.Win32.Primitives.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Physical.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Pipes.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.Win32.Registry.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Buffers.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.Xml.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4E96.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.WebSockets.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.Process.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA4ED.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI41BC.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEEE5.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.IsolatedStorage.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Collections.Specialized.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Linq.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventSource.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBA1F.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Numerics.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Collections.NonGeneric.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Pipes.AccessControl.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Web.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Linq.Parallel.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.NetworkInformation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\createdump.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XDocument.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.OpenSsl.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI99A5.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.VisualBasic.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.ServicePoint.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.ReaderWriter.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Linq.Expressions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.TraceSource.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ValueTuple.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\msquic.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI45C6.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\dotnet.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.HttpListener.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Core.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Debug.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE85A.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.ConfigurationExtensions.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA82A.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA82A.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBAAC.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Security.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Emit.Lightweight.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Compression.Brotli.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.Extensions.ManagedClient.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.FileSystem.Watcher.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Primitives.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Transactions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.Primitives.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Compression.Native.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA82A.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA82A.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XPath.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBC92.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.WebClient.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.ThreadPool.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Logging.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Configuration.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICC71.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Quic.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA4ED.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: 55a38f.rbf (copy)Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Compression.ZipFile.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Channels.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Windows.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICE75.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Sockets.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Loader.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Transactions.Local.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XPath.XDocument.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.StackTrace.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Abstractions.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.Mutex.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBD0D.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.CommandLine.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.FileSystem.AccessControl.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Claims.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Configuration.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Abstractions.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.Encodings.Web.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Memory.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4B67.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Primitives.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.Linq.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICE75.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Resources.Reader.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Http.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: 55a390.rbf (copy)Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICE75.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Extensions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.DispatchProxy.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.InteropServices.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.Encoding.Extensions.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICE75.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.Abstractions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Data.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.TypeExtensions.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI446E.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Globalization.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\CredentialManagement.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.FileSystem.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4D8C.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\System.Diagnostics.EventLog.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Data.DataSetExtensions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.Formatters.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.CoreLib.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Tasks.Extensions.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Polly.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Collections.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICD4D.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB77D.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE985.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Dynamic.Runtime.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\clrjit.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Compression.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\host\fxr\8.0.11\hostfxr.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Metadata.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Numerics.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\mscorrc.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\coreclr.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.NameResolution.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.TypeConverter.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Emit.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Resources.Writer.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Ping.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.DiaSymReader.Native.amd64.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.SecureString.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Hosting.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ServiceModel.Web.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Console.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.Xml.Linq.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XmlSerializer.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4025.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Data.Common.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Globalization.Extensions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Principal.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\netstandard.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA82A.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB77D.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Csp.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\mscordaccore.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Overlapped.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICE75.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: 55a38e.rbf (copy)Jump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.Annotations.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Collections.Concurrent.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.Tools.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.AppContext.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Tasks.Dataflow.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: 55a38c.rbf (copy)Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: 55a391.rbf (copy)Jump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.Uri.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Encoding.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB77D.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Tasks.Parallel.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Intrinsics.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.Serialization.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exeJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Formats.Tar.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.WebProxy.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Primitives.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XmlDocument.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Mail.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Sinks.File.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.MemoryMappedFiles.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Globalization.Calendars.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Handles.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.WebHeaderCollection.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.UserSecrets.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Drawing.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Web.HttpUtility.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventLog.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4F63.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB77D.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.Primitives.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Abstractions.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.Debug.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICD9C.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.Encoding.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\clrgc.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.Xml.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI46F1.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\WindowsBase.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.CSharp.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Console.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.RegularExpressions.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Tasks.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Thread.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Numerics.Vectors.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Memory.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\mscordaccore_amd64_amd64_8.0.1124.51707.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI19EE.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.FileExtensions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ServiceProcess.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\mscordbi.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Drawing.Primitives.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB77D.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\hostpolicy.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC422.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.DataAnnotations.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.DataContractSerialization.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ObjectModel.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.Tracing.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Extensions.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.Contracts.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Compression.FileSystem.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Linq.Queryable.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Emit.ILGeneration.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Primitives.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.Abstractions.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exeJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Memory.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.FileSystem.Primitives.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.Encoding.CodePages.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Principal.Windows.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\mscorlib.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Collections.Immutable.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.VisualBasic.Core.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Http.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.InteropServices.JavaScript.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Resources.ResourceManager.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA4ED.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Timer.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Formats.Asn1.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA4ED.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileSystemGlobbing.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.WebSockets.Client.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\clretwrc.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Requests.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE926.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICD4D.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB77D.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE985.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4025.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB77D.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC422.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA4ED.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA82A.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4B67.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA82A.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB77D.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI99A5.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICE75.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI99A5.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICE75.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA82A.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICE75.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4F63.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4E96.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBC92.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB77D.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI99A5.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICC71.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA4ED.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA4ED.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICE75.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI41BC.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI45C6.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI446E.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEEE5.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSICE75.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICD9C.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE85A.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA82A.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI46F1.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBA1F.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4D8C.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB77D.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA82A.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBAAC.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI99A5.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA4ED.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA4ED.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI19EE.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBD0D.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI99A5.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\AteraSetupLog.txt
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\LICENSE.txtJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\LICENSE.txt
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7zip.license.txt
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.license.txt
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.license.txt
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\LICENSE.txt
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7zip.license.txt
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.license.txt
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.license.txt

                              Boot Survival

                              barindex
                              Installs Task Scheduler Managed Wrapper
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000

                              Hooking and other Techniques for Hiding and Protection

                              barindex
                              Loading BitLocker PowerShell Module
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3EA524 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,35_2_00007FFDEE3EA524
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX

                              Malware Analysis System Evasion

                              barindex
                              Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                              Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSMBios_RawSMBiosTables
                              Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select DisplayName,Name,Started,State from Win32_Service where Name=&apos;MSExchangeIS&apos; OR DisplayName=&apos;MSExchangeIS&apos;
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select DisplayName,Name,Started,State from Win32_Service where Name=&apos;MSExchangeIS&apos; OR DisplayName=&apos;MSExchangeIS&apos;
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select DisplayName,Name,Started,State from Win32_Service where Name=&apos;MSExchangeIS&apos; OR DisplayName=&apos;MSExchangeIS&apos;
                              Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_LogicalDisk
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_LogicalDisk
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                              Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 16037E80000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 160517F0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 24DE0F60000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 24DF9550000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1F8FB1A0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1F8FB400000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 241474D0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 2415FA70000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1E528D80000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1E541200000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 2BB77650000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 2BB77CA0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 158A0F80000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 158B95F0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 1545D3E0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 15475980000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 1ED83CF0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 1ED9C4A0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1A368420000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1A368A90000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 2788D720000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 278A5A20000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 1C1B1490000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 1C1C9BF0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeMemory allocated: 2B19E590000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeMemory allocated: 2B1B6C80000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMemory allocated: 21744160000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMemory allocated: 2175C8B0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMemory allocated: 1C502170000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMemory allocated: 1C51A6A0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMemory allocated: 1EBDEF70000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMemory allocated: 1EBF7540000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeMemory allocated: 1C876940000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeMemory allocated: 1C877060000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 1FC5A680000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 1FC72C60000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeMemory allocated: 1A26F870000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeMemory allocated: 1A26FF60000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B6292D0 rdtsc 26_2_00007FFD9B6292D0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B570F2D sldt word ptr [eax]13_2_00007FFD9B570F2D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599890
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599780
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599672
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599562
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599453
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599343
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599234
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599125
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599015
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598906
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598797
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598687
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598578
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598468
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598359
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598250
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598140
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598031
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597922
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597812
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597703
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597594
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597484
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597375
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597265
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597156
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597047
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596937
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596828
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596719
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596609
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596500
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 600000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599891
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599766
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599625
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599500
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599389
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599274
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599172
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599062
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598934
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598828
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598719
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598601
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598484
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598370
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598243
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598140
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598030
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597912
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597789
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597686
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597573
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597450
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597342
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597229
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597107
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596907
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596641
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596528
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596418
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596312
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596203
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596094
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595985
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595860
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595719
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595594
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595484
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595375
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595259
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595150
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595047
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594937
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594828
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594711
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594593
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594275
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594149
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594031
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593922
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593808
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593703
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593594
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 600000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599831
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599640
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599485
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599371
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599229
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599010
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598830
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598637
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598453
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598156
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597906
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597640
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597426
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596812
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596525
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596297
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595719
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595375
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595187
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594812
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594661
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594437
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593859
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593703
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593569
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593420
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593281
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593143
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592984
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592859
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592625
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592473
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592297
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592159
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592018
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591812
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591647
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591531
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591422
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591305
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591171
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591059
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590906
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590764
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590649
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590542
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590427
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590265
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590109
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589996
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589887
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589765
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589653
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589534
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589359
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589218
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589062
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588916
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588795
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588665
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588534
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588359
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588228
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588125
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588015
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587906
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587792
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587682
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587578
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587468
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587343
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587233
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587122
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587015
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586895
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586775
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586671
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586562
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586451
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586343
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586234
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586125
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586015
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585906
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585787
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585672
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585562
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585447
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585344
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585234
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585125
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585015
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 3961
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 5610
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 8575
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 971
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 3479
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 5373
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7903
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1872
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeWindow / User API: threadDelayed 6539
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeWindow / User API: threadDelayed 3275
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 3671
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 425
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8866
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 766
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeWindow / User API: threadDelayed 7845
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeWindow / User API: threadDelayed 1672
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeWindow / User API: threadDelayed 8285
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeWindow / User API: threadDelayed 1419
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeWindow / User API: threadDelayed 2243
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 4961
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE926.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Algorithms.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CredentialManagement.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Cng.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 55a392.rbf (copy)Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA4ED.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.AccessControl.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.Win32.Primitives.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Physical.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Pipes.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.Win32.Registry.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI99A5.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Buffers.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.Xml.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.WebSockets.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4E96.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.Process.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA4ED.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI41BC.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.IsolatedStorage.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIEEE5.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Collections.Specialized.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Linq.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventSource.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBA1F.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Numerics.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Collections.NonGeneric.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Pipes.AccessControl.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Web.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Linq.Parallel.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.NetworkInformation.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exeJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\createdump.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XDocument.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.OpenSsl.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI99A5.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Microsoft.ApplicationInsights.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.VisualBasic.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.ServicePoint.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.ReaderWriter.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Linq.Expressions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.TraceSource.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ValueTuple.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\msquic.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exeJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI45C6.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\dotnet.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.HttpListener.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Core.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Debug.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE85A.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.ConfigurationExtensions.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA82A.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA82A.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBAAC.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Emit.Lightweight.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Security.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Compression.Brotli.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.Extensions.ManagedClient.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.FileSystem.Watcher.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Primitives.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Transactions.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.Primitives.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Compression.Native.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA82A.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA82A.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XPath.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBC92.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.WebClient.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.exeJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.ThreadPool.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Logging.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSICC71.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Configuration.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Quic.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA4ED.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 55a38f.rbf (copy)Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Compression.ZipFile.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Channels.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Windows.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSICE75.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Sockets.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Loader.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Transactions.Local.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XPath.XDocument.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.exeJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.StackTrace.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Abstractions.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.Mutex.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBD0D.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.CommandLine.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.FileSystem.AccessControl.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Configuration.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Claims.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Abstractions.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.Encodings.Web.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cup.exeJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Memory.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4B67.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Primitives.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSICE75.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.Linq.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Resources.Reader.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Http.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 55a390.rbf (copy)Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSICE75.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Extensions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.DispatchProxy.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.InteropServices.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.Encoding.Extensions.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSICE75.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.Abstractions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.TypeExtensions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Data.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI446E.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Globalization.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\CredentialManagement.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.FileSystem.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4D8C.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\System.Diagnostics.EventLog.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Data.DataSetExtensions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\clist.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.Formatters.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI99A5.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.CoreLib.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Tasks.Extensions.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Polly.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Collections.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB77D.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSICD4D.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE985.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Dynamic.Runtime.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\clrjit.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Compression.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\host\fxr\8.0.11\hostfxr.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Metadata.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cuninst.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\mscorrc.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Numerics.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\coreclr.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.NameResolution.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\CredentialManagement.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.TypeConverter.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Emit.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Resources.Writer.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Ping.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI99A5.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.DiaSymReader.Native.amd64.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Hosting.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.SecureString.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ServiceModel.Web.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Console.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.Xml.Linq.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XmlSerializer.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Data.Common.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4025.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Globalization.Extensions.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Principal.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\netstandard.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA82A.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB77D.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Csp.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\mscordaccore.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Overlapped.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSICE75.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 55a38e.rbf (copy)Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.Annotations.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Collections.Concurrent.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.Tools.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.AppContext.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\choco.exeJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Tasks.Dataflow.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeDropped PE file which has not been started: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 55a391.rbf (copy)Jump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.Uri.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Encoding.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB77D.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Tasks.Parallel.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Intrinsics.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.Serialization.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exeJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Formats.Tar.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.WebProxy.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\chocolatey.exeJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Primitives.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XmlDocument.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Mail.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Sinks.File.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.MemoryMappedFiles.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Globalization.Calendars.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Handles.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.WebHeaderCollection.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.UserSecrets.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Drawing.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventLog.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Web.HttpUtility.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4F63.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB77D.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.Primitives.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Abstractions.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.Debug.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSICD9C.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.Encoding.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\clrgc.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.Xml.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Buffers.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI46F1.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\WindowsBase.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.CSharp.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Console.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.RegularExpressions.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Tasks.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Thread.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Numerics.Vectors.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Memory.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cinst.exeJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\mscordaccore_amd64_amd64_8.0.1124.51707.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI19EE.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.FileExtensions.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ServiceProcess.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\mscordbi.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Drawing.Primitives.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB77D.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC422.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\hostpolicy.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.DataAnnotations.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.DataContractSerialization.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ObjectModel.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.Tracing.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Extensions.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.Contracts.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exe TID: 7788Thread sleep time: -30000s >= -30000sJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8120Thread sleep time: -60000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8088Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1460Thread sleep count: 3961 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4464Thread sleep count: 5610 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7288Thread sleep time: -24903104499507879s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7288Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7620Thread sleep time: -130000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7696Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7504Thread sleep time: -180000s >= -30000s
                              Source: C:\Windows\SysWOW64\rundll32.exe TID: 7252Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1528Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7884Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 8136Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7960Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7196Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8088Thread sleep count: 8575 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8088Thread sleep count: 971 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7752Thread sleep count: 39 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7752Thread sleep time: -35971150943733603s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7752Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7892Thread sleep time: -270000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7636Thread sleep time: -2767011611056431s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7900Thread sleep time: -180000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1524Thread sleep count: 3479 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 8020Thread sleep count: 5373 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -23058430092136925s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -600000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -599890s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -599780s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -599672s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -599562s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -599453s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -599343s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -599234s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -599125s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -599015s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -598906s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -598797s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -598687s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -598578s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -598468s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -598359s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -598250s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -598140s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -598031s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -597922s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -597812s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -597703s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -597594s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -597484s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -597375s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -597265s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -597156s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -597047s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -596937s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -596828s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -596719s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -596609s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5596Thread sleep time: -596500s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7424Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6100Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7904Thread sleep count: 7903 > 30
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7608Thread sleep count: 1872 > 30
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7428Thread sleep time: -4611686018427385s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep count: 39 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -35971150943733603s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -600000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 1852Thread sleep count: 6539 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -599891s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 1852Thread sleep count: 3275 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -599766s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -599625s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -599500s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -599389s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -599274s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -599172s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -599062s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -598934s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -598828s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -598719s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -598601s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -598484s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -598370s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -598243s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -598140s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -598030s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -597912s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -597789s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -597686s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -597573s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -597450s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -597342s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -597229s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -597107s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -596907s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -596641s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -596528s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -596418s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -596312s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -596203s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -596094s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -595985s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -595860s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -595719s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -595594s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -595484s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -595375s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -595259s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -595150s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -595047s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -594937s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -594828s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -594711s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -594593s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -594275s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -594149s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -594031s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -593922s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -593808s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -593703s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2364Thread sleep time: -593594s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 8000Thread sleep count: 3671 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 8028Thread sleep time: -7378697629483816s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 8028Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 8000Thread sleep count: 425 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 3084Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 2084Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8008Thread sleep count: 8866 > 30
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7996Thread sleep count: 766 > 30
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7608Thread sleep time: -4611686018427385s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 7664Thread sleep time: -60000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 5448Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 2076Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 8028Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5752Thread sleep count: 7845 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep count: 38 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -35048813740048126s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -600000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -599831s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -599640s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -599485s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -599371s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -599229s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -599010s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -598830s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -598637s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -598453s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -598156s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -597906s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -597640s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -597426s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -596812s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -596525s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -596297s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -596000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -595719s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -595375s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -595187s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -595000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -594812s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -594661s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -594437s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -593859s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -593703s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -593569s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -593420s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -593281s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -593143s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -592984s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -592859s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -592625s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -592473s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -592297s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -592159s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -592018s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -591812s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -591647s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -591531s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -591422s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -591305s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -591171s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -591059s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -590906s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -590764s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -590649s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -590542s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -590427s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -590265s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -590109s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -589996s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -589887s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -589765s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -589653s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -589534s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -589359s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -589218s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -589062s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -588916s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -588795s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -588665s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -588534s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -588359s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -588228s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -588125s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5752Thread sleep count: 1672 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -588015s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -587906s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -587792s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -587682s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -587578s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -587468s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -587343s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -587233s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -587122s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -587015s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -586895s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -586775s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -586671s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -586562s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -586451s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -586343s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -586234s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -586125s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -586015s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -585906s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -585787s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -585672s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -585562s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -585447s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -585344s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -585234s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -585125s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 1888Thread sleep time: -585015s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe TID: 7732Thread sleep time: -11068046444225724s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe TID: 4948Thread sleep count: 8285 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe TID: 4948Thread sleep count: 1419 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 6064Thread sleep count: 289 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 4504Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 7884Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 7392Thread sleep count: 2243 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 1520Thread sleep time: -4611686018427385s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 1136Thread sleep count: 130 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 560Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 2896Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe TID: 1528Thread sleep time: -9223372036854770s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe TID: 3052Thread sleep count: 61 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe TID: 2536Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 5344Thread sleep count: 4961 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 8040Thread sleep time: -11990383647911201s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 8040Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6824Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 3624Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe TID: 2664Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile opened: PhysicalDrive0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain FROM Win32_ComputerSystem
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile Volume queried: C:\ FullSizeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 30000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 30000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599890
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599780
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599672
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599562
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599453
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599343
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599234
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599125
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599015
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598906
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598797
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598687
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598578
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598468
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598359
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598250
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598140
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598031
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597922
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597812
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597703
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597594
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597484
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597375
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597265
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597156
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597047
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596937
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596828
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596719
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596609
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596500
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 600000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599891
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599766
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599625
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599500
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599389
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599274
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599172
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599062
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598934
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598828
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598719
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598601
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598484
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598370
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598243
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598140
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598030
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597912
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597789
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597686
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597573
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597450
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597342
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597229
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597107
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596907
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596641
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596528
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596418
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596312
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596203
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596094
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595985
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595860
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595719
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595594
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595484
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595375
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595259
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595150
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595047
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594937
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594828
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594711
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594593
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594275
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594149
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594031
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593922
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593808
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593703
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593594
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 30000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 600000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599831
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599640
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599485
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599371
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599229
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599010
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598830
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598637
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598453
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598156
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597906
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597640
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597426
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596812
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596525
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596297
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595719
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595375
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595187
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594812
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594661
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594437
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593859
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593703
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593569
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593420
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593281
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593143
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592984
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592859
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592625
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592473
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592297
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592159
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592018
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591812
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591647
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591531
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591422
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591305
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591171
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591059
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590906
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590764
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590649
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590542
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590427
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590265
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590109
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589996
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589887
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589765
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589653
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589534
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589359
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589218
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 589062
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588916
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588795
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588665
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588534
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588359
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588228
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588125
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 588015
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587906
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587792
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587682
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587578
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587468
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587343
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587233
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587122
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 587015
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586895
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586775
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586671
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586562
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586451
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586343
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586234
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586125
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 586015
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585906
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585787
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585672
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585562
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585447
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585344
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585234
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585125
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 585015
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 30000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-CheckSumValid.ps1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Format-FileSize.ps1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariableNames.ps1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariable.ps1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyUnzip.ps1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyWebFile.ps1
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service0
                              Source: powershell.exe, 0000002C.00000002.2324809347.0000027D81450000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
                              Source: svchost.exe, 00000029.00000002.3269644548.000001F0800D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +@friendlyname"vmware virtual disk"x.dll
                              Source: svchost.exe, 00000029.00000002.3269260654.000001F080052000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: les\Ora @manufacturer"vmware"
                              Source: powershell.exe, 0000002C.00000002.2324809347.0000027D81450000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
                              Source: svchost.exe, 00000029.00000002.3269180076.000001F08002B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk6000C2942FCE4D06663969F532E45D1A
                              Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2238325098.00000158B9F1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceSynchronizes the system time of this virtual machine with the system time of the physical computer.Hyper-V Time Synchronization ServicevmictimesyncStopped]B
                              Source: powershell.exe, 0000002C.00000002.2324809347.0000027D81450000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3320326634.000001A3693DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk
                              Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2215343760.00000158A0D9A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.3294930991.000001A368234000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
                              Source: powershell.exe, 0000002C.00000002.2324809347.0000027D8022B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                              Source: powershell.exe, 0000001F.00000002.2053298823.000001FC681C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSFT_NetEventVmNetworkAdatper.format.ps1xml
                              Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2238155839.00000158B9F09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicvss"aPoS[
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3304711756.000001A369205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicheartbeatvmicheartbeatStopped
                              Source: AgentPackageADRemote.exe, 00000041.00000002.2472321285.000001A26F8A2000.00000002.00000001.01000000.00000036.sdmpBinary or memory string: vmware
                              Source: svchost.exe, 00000029.00000002.3269260654.000001F080052000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JSetPropValue.Manufacturer("VMware");
                              Source: AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5B261000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware-56 4d 43
                              Source: AgentPackageMonitoring.exe, 0000003E.00000002.2912938336.000001FC744F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VM
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface0
                              Source: AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5B261000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIES1371
                              Source: AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5B261000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM
                              Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2238325098.00000158B9F1B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.3304711756.000001A369205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3270482818.000001A30010C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3304711756.000001A369205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllbb
                              Source: rundll32.exe, 00000004.00000002.1760939017.0000000002D64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
                              Source: svchost.exe, 00000029.00000002.3269260654.000001F080052000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dSetPropValue.FriendlyName("VMware Virtual disk");
                              Source: AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5B261000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Virtual R
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service0
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3304711756.000001A369205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicheartbeat"
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3270482818.000001A30010C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
                              Source: rundll32.exe, 00000010.00000002.1864868741.000000000332A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO
                              Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2236305322.00000158B9E70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicvssvmicvssStopped
                              Source: AgentPackageOsUpdates.exe, 0000003A.00000002.2679052691.000001EBF7CCD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllWb
                              Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2238325098.00000158B9F1B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.3304711756.000001A369205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3294930991.000001A368234000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStoppedll
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service0
                              Source: AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5B261000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0VMware20,1
                              Source: AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5B261000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.00000217448B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Tools
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3294930991.000001A368234000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStoppedAg
                              Source: AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9EBD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`F3
                              Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2215343760.00000158A0D9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStopped
                              Source: AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5B261000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                              Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2237280324.00000158B9ECE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicshutdownvmicshutdownStopped%
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3270482818.000001A30010C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "Win32_Service.Name="vmicheartbeat"p^/
                              Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2239414816.00000158B9F70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllEEmH
                              Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2238325098.00000158B9F1B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.3304711756.000001A369205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
                              Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2238155839.00000158B9F09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicshutdown"WPaSY
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service0
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service0
                              Source: AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5B261000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II2/
                              Source: powershell.exe, 0000002C.00000002.2324809347.0000027D81450000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3270482818.000001A30010C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3320326634.000001A3693DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                              Source: powershell.exe, 0000002C.00000002.2324809347.0000027D81450000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
                              Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2215343760.00000158A0D9A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.3294930991.000001A368234000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
                              Source: svchost.exe, 00000029.00000002.3269260654.000001F080052000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,@SetPropValue.FriendlyName("VMware Virtual disk");
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3294930991.000001A368234000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a platform for communication between the virtual machine and the operating system running on the physical computer.Hyper-V Remote Desktop Virtualization ServicevmicrdvStopped.
                              Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2215343760.00000158A0D9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a platform for communication between the virtual machine and the operating system running on the physical computer.Hyper-V Remote Desktop Virtualization ServicevmicrdvStopped+
                              Source: AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5B261000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 6VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3304711756.000001A369205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceSynchronizes the system time of this virtual machine with the system time of the physical computer.Hyper-V Time Synchronization ServicevmictimesyncStopped
                              Source: powershell.exe, 0000002C.00000002.2324809347.0000027D81450000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3304711756.000001A369205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicvss"
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3320326634.000001A3693DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSFT_PhysicalDisk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\SPACES_PhysicalDisk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{fadc7a83-6534-864a-66c8-a75a642cb79f}"6000C2942FCE4D06663969F532E45D1AVMware Virtual diskVMwareVirtual disk6000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                              Source: AteraAgent.exe, 0000000C.00000002.1818790542.00000160520A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1818790542.000001605204D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA3AB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2315411123.0000024DFA310000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002E.00000002.2633277895.000002788D8E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3304711756.000001A369205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicshutdownvmicshutdownStopped{
                              Source: AgentPackageProgramManagement.exe, 00000034.00000000.2315651131.0000021743E12000.00000002.00000001.01000000.0000002A.sdmpBinary or memory string: VMware Tools)Cisco Webex Meetings
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3270482818.000001A30010C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicvss"p^/
                              Source: AgentPackageMonitoring.exe, 0000003E.00000002.2912938336.000001FC744F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Inc.NoneVMwarep|Ot
                              Source: svchost.exe, 00000029.00000002.3269475793.000001F08009A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                              Source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2633277895.000002788D8E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RA
                              Source: AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5B261000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3270482818.000001A30010C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: |Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
                              Source: AgentPackageAgentInformation.exe, 00000012.00000000.1900225335.000001F8FA9C2000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
                              Source: svchost.exe, 00000029.00000002.3269475793.000001F0800A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 006000C2942FCE4D06663969F532E45D1A
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service0
                              Source: powershell.exe, 0000002C.00000002.2324809347.0000027D81450000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3270482818.000001A30010C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3304711756.000001A369205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicshutdownjQb
                              Source: AgentPackageMonitoring.exe, 00000023.00000002.2045546102.000001ED8458F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5AD4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
                              Source: powershell.exe, 0000002C.00000002.3154655272.0000027DFE8A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FMSFT_NetEventVmNetworkAdatper.cdxml
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3270482818.000001A30010C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service
                              Source: AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5B261000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware20,1
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3270482818.000001A30010C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
                              Source: AgentPackageMonitoring.exe, 0000003E.00000002.2912938336.000001FC744F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwarep|Ot
                              Source: AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5B261000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.2/
                              Source: AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Volume Shadow Copy Requestor0
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3304711756.000001A369205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicvssvmicvssStopped6
                              Source: powershell.exe, 0000002C.00000002.3154655272.0000027DFE8A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMSFT_NetEventVmNetworkAdatper.format.ps1xml
                              Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2215343760.00000158A0D9A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.3294930991.000001A368234000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.3270482818.000001A30010C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
                              Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2238325098.00000158B9F1B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.3304711756.000001A369205000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.3270482818.000001A30010C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
                              Source: svchost.exe, 00000029.00000002.3269644548.000001F0800D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3270482818.000001A30010C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3304711756.000001A369205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicshutdown"
                              Source: AgentPackageUpgradeAgent.exe, 0000002E.00000002.2627082966.000002788D8DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3270482818.000001A30010C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Win32_Service.Name="vmicshutdown"p^/
                              Source: powershell.exe, 0000002C.00000002.2324809347.0000027D81450000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
                              Source: powershell.exe, 0000002C.00000002.2324809347.0000027D8022B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                              Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2215343760.00000158A0D9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStoppedl
                              Source: AgentPackageMonitoring.exe, 0000003E.00000002.2912938336.000001FC744F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
                              Source: powershell.exe, 0000001F.00000002.2053298823.000001FC681C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSFT_NetEventVmNetworkAdatper.cdxml2M
                              Source: AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744E77000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware tools
                              Source: powershell.exe, 0000002C.00000002.2324809347.0000027D81450000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
                              Source: powershell.exe, 0000002C.00000002.2324809347.0000027D81450000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3304711756.000001A369205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicvssbD:
                              Source: svchost.exe, 00000029.00000002.3269038311.000001F08001B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN
                              Source: AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5B261000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM2/
                              Source: AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5B261000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware20,12/
                              Source: AgentPackageAgentInformation.exe, 00000012.00000002.1935576115.000001F8FAC5E000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.1933971482.0000024147327000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2865906697.000002BB77BE6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2067956836.000001ED9CC6A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3116637604.000002175D0B4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000039.00000002.2495587234.000001C51AE80000.00000004.00000020.00020000.00000000.sdmp, AgentPackageHeartbeat.exe, 0000003C.00000002.2487819435.000001C877860000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003E.00000002.2927378013.000001FC745CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                              Source: svchost.exe, 00000029.00000002.3269475793.000001F08009A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                              Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2238325098.00000158B9F1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.Hyper-V PowerShell Direct ServicevmicvmsessionStoppedlB
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3304711756.000001A369205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.Hyper-V PowerShell Direct ServicevmicvmsessionStopped
                              Source: AgentPackageMonitoring.exe, 00000023.00000000.1997512285.000001ED83A62000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2043360173.000001ED83F12000.00000002.00000001.01000000.0000001F.sdmp, AgentPackageADRemote.exe, 00000041.00000002.2472321285.000001A26F8A2000.00000002.00000001.01000000.00000036.sdmpBinary or memory string: get_IsVirtualMachine
                              Source: AgentPackageAgentInformation.exe, 0000002A.00000002.3304711756.000001A369205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Hyper-V Guest Service InterfacevmicguestinterfaceStopped
                              Source: powershell.exe, 0000002C.00000002.2324809347.0000027D8022B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                              Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2238325098.00000158B9F1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Hyper-V Guest Service InterfacevmicguestinterfaceStoppedwG
                              Source: AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5B261000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
                              Source: AgentPackageADRemote.exe, 00000041.00000002.2422079840.000001A2001C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineX
                              Source: AgentPackageSTRemote.exe, 00000021.00000002.2715960566.00000154762D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{{)E
                              Source: svchost.exe, 00000029.00000002.3270244052.000001F0800EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SPACES_PhysicalDisk{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{fadc7a83-6534-864a-66c8-a75a642cb79f}6000C2942FCE4D06663969F532E45D1AVMware Virtual diskVMwareVirtual disk6000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                              Source: powershell.exe, 0000002C.00000002.2324809347.0000027D81450000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
                              Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2238498880.00000158B9F29000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicheartbeat r
                              Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                              Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                              Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                              Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B6292D0 rdtsc 26_2_00007FFD9B6292D0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3E5E14 IsDebuggerPresent,__crtUnhandledException,GetCurrentProcess,TerminateProcess,35_2_00007FFDEE3E5E14
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE42AFB0 OutputDebugStringA,GetProcessHeap,OutputDebugStringA,GetLastError,lstrlenW,HeapAlloc,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetLastError,OutputDebugStringA,GetModuleFileNameW,lstrlenW,OutputDebugStringA,lstrcatW,lstrcatW,lstrcatW,GetFileAttributesW,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,WinVerifyTrust,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetCurrentThreadId,GetCurrentProcessId,wsprintfW,GetEnvironmentVariableW,SetEnvironmentVariableW,_errno,_errno,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetLastError,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,HeapFree,_snprintf,OutputDebugStringA,35_2_00007FFDEE42AFB0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F1910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,35_2_00007FFDEE3F1910
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE42AFB0 OutputDebugStringA,GetProcessHeap,OutputDebugStringA,GetLastError,lstrlenW,HeapAlloc,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetLastError,OutputDebugStringA,GetModuleFileNameW,lstrlenW,OutputDebugStringA,lstrcatW,lstrcatW,lstrcatW,GetFileAttributesW,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,WinVerifyTrust,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetCurrentThreadId,GetCurrentProcessId,wsprintfW,GetEnvironmentVariableW,SetEnvironmentVariableW,_errno,_errno,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetLastError,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,HeapFree,_snprintf,OutputDebugStringA,35_2_00007FFDEE42AFB0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3EACD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,35_2_00007FFDEE3EACD4
                              Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: page read and write | page guardJump to behavior

                              HIPS / PFW / Operating System Protection Evasion

                              barindex
                              System process connects to network (likely due to code injection or exploit)
                              Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="contato@plasticoseireli.com.br" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q3000005bkCOIAY" /AgentId="129f3953-acb3-4c59-97d2-68ee1acc4037"Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                              Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "dd688ee6-da7a-489a-824e-4b2b8f963f93" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "2e37e1c0-19ef-487a-bbff-8667419be909" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "a2b1d8f6-2f82-4898-80a5-6c64d88ad439" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "c08b9836-612b-4f1a-a9b2-6d15dae1664b" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "73baa492-8131-47bd-aef7-ff6f586897ca" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "83a39b31-6e02-450c-883e-7bcfe5037852" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "ad826f4a-bdf2-4b7c-85be-2ce6747e9604" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "01be1e33-edd2-4b80-ad30-0a2ff62d8a90" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "bb91c3ae-13a9-46d3-b7cd-8a12a2b5a6f8" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "337a6611-035b-4530-8875-95d63c915d31" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "5898f009-0c88-42d0-af0f-4e5a5d40fd4a" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "898b7d78-f877-4008-88ae-7d7cecc198d8" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "6f5a73d1-06cd-46b4-86b8-fdba5613e7c2" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "d73a02c6-2491-46af-96a3-8578313e700f" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "49f83d36-063d-4873-a1b6-871acf3a8149" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" 001Q3000005bkCOIAY
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command " ################################################################################################ # Windows 11 Compatibility Check Script # ################################################################################################ # Compatibility flag $IsCompatible = $true # Check if current OS is Windows 10 $OSVersion = (Get-CimInstance -Class Win32_OperatingSystem).Caption if (-not $OSVersion.Contains('Windows 10')) { return } # Architecture x64 $Arch = (Get-CimInstance -Class CIM_ComputerSystem).SystemType $ArchValue = 'x64-based PC' if ($Arch -ne $ArchValue) { $IsCompatible = $false } # Screen Resolution $ScreenInfo = (Get-CimInstance -ClassName Win32_VideoController).CurrentVerticalResolution $ValueMin = 720 if ($ScreenInfo -le $ValueMin) { $IsCompatible = $false } # CPU composition $Core = (Get-CimInstance -Class CIM_Processor | Select-Object *).NumberOfCores $CoreValue = 2 $Frequency = (Get-CimInstance -Class CIM_Processor | Select-Object *).MaxClockSpeed $FrequencyValue = 1000 if (-not (($Core -ge $CoreValue) -and ($Frequency -ge $FrequencyValue))) { $IsCompatible = $false } # TPM $TPM2 = $false if ((Get-Tpm).ManufacturerVersionFull20) { $TPM2 = -not (Get-Tpm).ManufacturerVersionFull20.Contains('not supported') } if ($TPM2 -contains $false) { $IsCompatible = $false } # Secure Boot $SecureBoot = Confirm-SecureBootUEFI if ($SecureBoot -ne $true) { $IsCompatible = $false } # RAM available $Memory = (Get-CimInstance -Class CIM_ComputerSystem).TotalPhysicalMemory $SetMinMemory = 4294967296 if ($Memory -lt $SetMinMemory) { $IsCompatible = $false } # Storage available $ListDisk = Get-CimInstance -Class Win32_LogicalDisk | Where-Object { $_.DriveType -eq '3' } $SetMinSizeLimit = 64GB $DiskCompatible = $false foreach ($Disk in $ListDisk) { if ($Disk.FreeSpace -ge $SetMinSizeLimit) { $DiskCompatible = $true } } if (-not $DiskCompatible) { $IsCompatible = $false } # Output final result $IsCompatible "
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: unknown unknown
                              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command " ################################################################################################ # Windows 11 Compatibility Check Script # ################################################################################################ # Compatibility flag $IsCompatible = $true # Check if current OS is Windows 10 $OSVersion = (Get-CimInstance -Class Win32_OperatingSystem).Caption if (-not $OSVersion.Contains('Windows 10')) { return } # Architecture x64 $Arch = (Get-CimInstance -Class CIM_ComputerSystem).SystemType $ArchValue = 'x64-based PC' if ($Arch -ne $ArchValue) { $IsCompatible = $false } # Screen Resolution $ScreenInfo = (Get-CimInstance -ClassName Win32_VideoController).CurrentVerticalResolution $ValueMin = 720 if ($ScreenInfo -le $ValueMin) { $IsCompatible = $false } # CPU composition $Core = (Get-CimInstance -Class CIM_Processor | Select-Object *).NumberOfCores $CoreValue = 2 $Frequency = (Get-CimInstance -Class CIM_Processor | Select-Object *).MaxClockSpeed $FrequencyValue = 1000 if (-not (($Core -ge $CoreValue) -and ($Frequency -ge $FrequencyValue))) { $IsCompatible = $false } # TPM $TPM2 = $false if ((Get-Tpm).ManufacturerVersionFull20) { $TPM2 = -not (Get-Tpm).ManufacturerVersionFull20.Contains('not supported') } if ($TPM2 -contains $false) { $IsCompatible = $false } # Secure Boot $SecureBoot = Confirm-SecureBootUEFI if ($SecureBoot -ne $true) { $IsCompatible = $false } # RAM available $Memory = (Get-CimInstance -Class CIM_ComputerSystem).TotalPhysicalMemory $SetMinMemory = 4294967296 if ($Memory -lt $SetMinMemory) { $IsCompatible = $false } # Storage available $ListDisk = Get-CimInstance -Class Win32_LogicalDisk | Where-Object { $_.DriveType -eq '3' } $SetMinSizeLimit = 64GB $DiskCompatible = $false foreach ($Disk in $ListDisk) { if ($Disk.FreeSpace -ge $SetMinSizeLimit) { $DiskCompatible = $true } } if (-not $DiskCompatible) { $IsCompatible = $false } # Output final result $IsCompatible "
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="contato@plasticoseireli.com.br" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q3000005bkcoiay" /agentid="129f3953-acb3-4c59-97d2-68ee1acc4037"
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "dd688ee6-da7a-489a-824e-4b2b8f963f93" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "2e37e1c0-19ef-487a-bbff-8667419be909" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "a2b1d8f6-2f82-4898-80a5-6c64d88ad439" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "c08b9836-612b-4f1a-a9b2-6d15dae1664b" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -noprofile -command " ################################################################################################ # windows 11 compatibility check script # ################################################################################################ # compatibility flag $iscompatible = $true # check if current os is windows 10 $osversion = (get-ciminstance -class win32_operatingsystem).caption if (-not $osversion.contains('windows 10')) { return } # architecture x64 $arch = (get-ciminstance -class cim_computersystem).systemtype $archvalue = 'x64-based pc' if ($arch -ne $archvalue) { $iscompatible = $false } # screen resolution $screeninfo = (get-ciminstance -classname win32_videocontroller).currentverticalresolution $valuemin = 720 if ($screeninfo -le $valuemin) { $iscompatible = $false } # cpu composition $core = (get-ciminstance -class cim_processor | select-object *).numberofcores $corevalue = 2 $frequency = (get-ciminstance -class cim_processor | select-object *).maxclockspeed $frequencyvalue = 1000 if (-not (($core -ge $corevalue) -and ($frequency -ge $frequencyvalue))) { $iscompatible = $false } # tpm $tpm2 = $false if ((get-tpm).manufacturerversionfull20) { $tpm2 = -not (get-tpm).manufacturerversionfull20.contains('not supported') } if ($tpm2 -contains $false) { $iscompatible = $false } # secure boot $secureboot = confirm-securebootuefi if ($secureboot -ne $true) { $iscompatible = $false } # ram available $memory = (get-ciminstance -class cim_computersystem).totalphysicalmemory $setminmemory = 4294967296 if ($memory -lt $setminmemory) { $iscompatible = $false } # storage available $listdisk = get-ciminstance -class win32_logicaldisk | where-object { $_.drivetype -eq '3' } $setminsizelimit = 64gb $diskcompatible = $false foreach ($disk in $listdisk) { if ($disk.freespace -ge $setminsizelimit) { $diskcompatible = $true } } if (-not $diskcompatible) { $iscompatible = $false } # output final result $iscompatible "
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "73baa492-8131-47bd-aef7-ff6f586897ca" agent-api.atera.com/production 443 or8ixli90mf "install eyjsbw1db2rlijoiafpdrezqaes3nw1kiiwiumvxdwvzdfblcm1pc3npb25pchrpb24iom51bgwsiljlcxvpcmvqyxnzd29yze9wdglvbii6bnvsbcwiugfzc3dvcmqiom51bgx9" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "83a39b31-6e02-450c-883e-7bcfe5037852" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "ad826f4a-bdf2-4b7c-85be-2ce6747e9604" agent-api.atera.com/production 443 or8ixli90mf "generalinfo" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -noprofile -command " ################################################################################################ # windows 11 compatibility check script # ################################################################################################ # compatibility flag $iscompatible = $true # check if current os is windows 10 $osversion = (get-ciminstance -class win32_operatingsystem).caption if (-not $osversion.contains('windows 10')) { return } # architecture x64 $arch = (get-ciminstance -class cim_computersystem).systemtype $archvalue = 'x64-based pc' if ($arch -ne $archvalue) { $iscompatible = $false } # screen resolution $screeninfo = (get-ciminstance -classname win32_videocontroller).currentverticalresolution $valuemin = 720 if ($screeninfo -le $valuemin) { $iscompatible = $false } # cpu composition $core = (get-ciminstance -class cim_processor | select-object *).numberofcores $corevalue = 2 $frequency = (get-ciminstance -class cim_processor | select-object *).maxclockspeed $frequencyvalue = 1000 if (-not (($core -ge $corevalue) -and ($frequency -ge $frequencyvalue))) { $iscompatible = $false } # tpm $tpm2 = $false if ((get-tpm).manufacturerversionfull20) { $tpm2 = -not (get-tpm).manufacturerversionfull20.contains('not supported') } if ($tpm2 -contains $false) { $iscompatible = $false } # secure boot $secureboot = confirm-securebootuefi if ($secureboot -ne $true) { $iscompatible = $false } # ram available $memory = (get-ciminstance -class cim_computersystem).totalphysicalmemory $setminmemory = 4294967296 if ($memory -lt $setminmemory) { $iscompatible = $false } # storage available $listdisk = get-ciminstance -class win32_logicaldisk | where-object { $_.drivetype -eq '3' } $setminsizelimit = 64gb $diskcompatible = $false foreach ($disk in $listdisk) { if ($disk.freespace -ge $setminsizelimit) { $diskcompatible = $true } } if (-not $diskcompatible) { $iscompatible = $false } # output final result $iscompatible "
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageupgradeagent\agentpackageupgradeagent.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "01be1e33-edd2-4b80-ad30-0a2ff62d8a90" agent-api.atera.com/production 443 or8ixli90mf "checkforupdates" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageticketing\agentpackageticketing.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "bb91c3ae-13a9-46d3-b7cd-8a12a2b5a6f8" agent-api.atera.com/production 443 or8ixli90mf "maintain" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageprogrammanagement\agentpackageprogrammanagement.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "337a6611-035b-4530-8875-95d63c915d31" agent-api.atera.com/production 443 or8ixli90mf "syncinstalledapps" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageinternalpoller\agentpackageinternalpoller.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "5898f009-0c88-42d0-af0f-4e5a5d40fd4a" agent-api.atera.com/production 443 or8ixli90mf "pollall" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageosupdates\agentpackageosupdates.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "898b7d78-f877-4008-88ae-7d7cecc198d8" agent-api.atera.com/production 443 or8ixli90mf "getlistofallupdates" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageheartbeat\agentpackageheartbeat.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "6f5a73d1-06cd-46b4-86b8-fdba5613e7c2" agent-api.atera.com/production 443 or8ixli90mf "heartbeat" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "d73a02c6-2491-46af-96a3-8578313e700f" agent-api.atera.com/production 443 or8ixli90mf "monitor" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageadremote\agentpackageadremote.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "49f83d36-063d-4873-a1b6-871acf3a8149" agent-api.atera.com/production 443 or8ixli90mf "eyjbzenvbw1hbmruexblijo1lcjjbnn0ywxsyxrpb25gawxlvxjsijoiahr0chm6ly9nzxquyw55zgvzay5jb20voenrc3u5a3yvqw55rgvza19ddxn0b21fq2xpzw50lm1zasisikzvcmnlsw5zdgfsbci6zmfsc2usilrhcmdldfzlcnnpb24ioiiifq==" 001q3000005bkcoiay
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="contato@plasticoseireli.com.br" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q3000005bkcoiay" /agentid="129f3953-acb3-4c59-97d2-68ee1acc4037"Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "dd688ee6-da7a-489a-824e-4b2b8f963f93" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "2e37e1c0-19ef-487a-bbff-8667419be909" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "a2b1d8f6-2f82-4898-80a5-6c64d88ad439" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "c08b9836-612b-4f1a-a9b2-6d15dae1664b" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "73baa492-8131-47bd-aef7-ff6f586897ca" agent-api.atera.com/production 443 or8ixli90mf "install eyjsbw1db2rlijoiafpdrezqaes3nw1kiiwiumvxdwvzdfblcm1pc3npb25pchrpb24iom51bgwsiljlcxvpcmvqyxnzd29yze9wdglvbii6bnvsbcwiugfzc3dvcmqiom51bgx9" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "83a39b31-6e02-450c-883e-7bcfe5037852" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "ad826f4a-bdf2-4b7c-85be-2ce6747e9604" agent-api.atera.com/production 443 or8ixli90mf "generalinfo" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageupgradeagent\agentpackageupgradeagent.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "01be1e33-edd2-4b80-ad30-0a2ff62d8a90" agent-api.atera.com/production 443 or8ixli90mf "checkforupdates" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageticketing\agentpackageticketing.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "bb91c3ae-13a9-46d3-b7cd-8a12a2b5a6f8" agent-api.atera.com/production 443 or8ixli90mf "maintain" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageprogrammanagement\agentpackageprogrammanagement.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "337a6611-035b-4530-8875-95d63c915d31" agent-api.atera.com/production 443 or8ixli90mf "syncinstalledapps" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageinternalpoller\agentpackageinternalpoller.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "5898f009-0c88-42d0-af0f-4e5a5d40fd4a" agent-api.atera.com/production 443 or8ixli90mf "pollall" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageosupdates\agentpackageosupdates.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "898b7d78-f877-4008-88ae-7d7cecc198d8" agent-api.atera.com/production 443 or8ixli90mf "getlistofallupdates" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageheartbeat\agentpackageheartbeat.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "6f5a73d1-06cd-46b4-86b8-fdba5613e7c2" agent-api.atera.com/production 443 or8ixli90mf "heartbeat" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "d73a02c6-2491-46af-96a3-8578313e700f" agent-api.atera.com/production 443 or8ixli90mf "monitor" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageadremote\agentpackageadremote.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "49f83d36-063d-4873-a1b6-871acf3a8149" agent-api.atera.com/production 443 or8ixli90mf "eyjbzenvbw1hbmruexblijo1lcjjbnn0ywxsyxrpb25gawxlvxjsijoiahr0chm6ly9nzxquyw55zgvzay5jb20voenrc3u5a3yvqw55rgvza19ddxn0b21fq2xpzw50lm1zasisikzvcmnlsw5zdgfsbci6zmfsc2usilrhcmdldfzlcnnpb24ioiiifq==" 001q3000005bkcoiay
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -noprofile -command " ################################################################################################ # windows 11 compatibility check script # ################################################################################################ # compatibility flag $iscompatible = $true # check if current os is windows 10 $osversion = (get-ciminstance -class win32_operatingsystem).caption if (-not $osversion.contains('windows 10')) { return } # architecture x64 $arch = (get-ciminstance -class cim_computersystem).systemtype $archvalue = 'x64-based pc' if ($arch -ne $archvalue) { $iscompatible = $false } # screen resolution $screeninfo = (get-ciminstance -classname win32_videocontroller).currentverticalresolution $valuemin = 720 if ($screeninfo -le $valuemin) { $iscompatible = $false } # cpu composition $core = (get-ciminstance -class cim_processor | select-object *).numberofcores $corevalue = 2 $frequency = (get-ciminstance -class cim_processor | select-object *).maxclockspeed $frequencyvalue = 1000 if (-not (($core -ge $corevalue) -and ($frequency -ge $frequencyvalue))) { $iscompatible = $false } # tpm $tpm2 = $false if ((get-tpm).manufacturerversionfull20) { $tpm2 = -not (get-tpm).manufacturerversionfull20.contains('not supported') } if ($tpm2 -contains $false) { $iscompatible = $false } # secure boot $secureboot = confirm-securebootuefi if ($secureboot -ne $true) { $iscompatible = $false } # ram available $memory = (get-ciminstance -class cim_computersystem).totalphysicalmemory $setminmemory = 4294967296 if ($memory -lt $setminmemory) { $iscompatible = $false } # storage available $listdisk = get-ciminstance -class win32_logicaldisk | where-object { $_.drivetype -eq '3' } $setminsizelimit = 64gb $diskcompatible = $false foreach ($disk in $listdisk) { if ($disk.freespace -ge $setminsizelimit) { $diskcompatible = $true } } if (-not $diskcompatible) { $iscompatible = $false } # output final result $iscompatible "
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -noprofile -command " ################################################################################################ # windows 11 compatibility check script # ################################################################################################ # compatibility flag $iscompatible = $true # check if current os is windows 10 $osversion = (get-ciminstance -class win32_operatingsystem).caption if (-not $osversion.contains('windows 10')) { return } # architecture x64 $arch = (get-ciminstance -class cim_computersystem).systemtype $archvalue = 'x64-based pc' if ($arch -ne $archvalue) { $iscompatible = $false } # screen resolution $screeninfo = (get-ciminstance -classname win32_videocontroller).currentverticalresolution $valuemin = 720 if ($screeninfo -le $valuemin) { $iscompatible = $false } # cpu composition $core = (get-ciminstance -class cim_processor | select-object *).numberofcores $corevalue = 2 $frequency = (get-ciminstance -class cim_processor | select-object *).maxclockspeed $frequencyvalue = 1000 if (-not (($core -ge $corevalue) -and ($frequency -ge $frequencyvalue))) { $iscompatible = $false } # tpm $tpm2 = $false if ((get-tpm).manufacturerversionfull20) { $tpm2 = -not (get-tpm).manufacturerversionfull20.contains('not supported') } if ($tpm2 -contains $false) { $iscompatible = $false } # secure boot $secureboot = confirm-securebootuefi if ($secureboot -ne $true) { $iscompatible = $false } # ram available $memory = (get-ciminstance -class cim_computersystem).totalphysicalmemory $setminmemory = 4294967296 if ($memory -lt $setminmemory) { $iscompatible = $false } # storage available $listdisk = get-ciminstance -class win32_logicaldisk | where-object { $_.drivetype -eq '3' } $setminsizelimit = 64gb $diskcompatible = $false foreach ($disk in $listdisk) { if ($disk.freespace -ge $setminsizelimit) { $diskcompatible = $true } } if (-not $diskcompatible) { $iscompatible = $false } # output final result $iscompatible "
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3E739C cpuid 35_2_00007FFDEE3E739C
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIA4ED.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIA4ED.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIA82A.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIA82A.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIA82A.tmp-\Newtonsoft.Json.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIB77D.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIB77D.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSICE75.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSICE75.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSICE75.tmp-\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package04~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package04~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services.Client\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Services.Client.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI99A5.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI99A5.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3ECC04 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,35_2_00007FFDEE3ECC04
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3E85D4 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,_malloc_crt,_invoke_watson,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,35_2_00007FFDEE3E85D4
                              Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct

                              Stealing of Sensitive Information

                              barindex
                              Queries disk data (e.g. SMART data)
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeDevice IO: \Device\Harddisk0\DR0
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeDevice IO: \Device\Harddisk0\DR0

                              Remote Access Functionality

                              barindex
                              Yara detected AteraAgent
                              Source: Yara matchFile source: 46.0.AgentPackageUpgradeAgent.exe.2788cf60000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 19.2.AgentPackageAgentInformation.exe.24147520000.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 65.2.AgentPackageADRemote.exe.1a26f8a0000.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 60.2.AgentPackageHeartbeat.exe.1c876970000.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 33.0.AgentPackageSTRemote.exe.1545d090000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 58.2.AgentPackageOsUpdates.exe.1ebdefa0000.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 26.2.AteraAgent.exe.2bb00605a48.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 35.2.AgentPackageMonitoring.exe.1ed83f10000.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 52.0.AgentPackageProgramManagement.exe.21743e10000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 26.2.AteraAgent.exe.2bb00363730.0.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 35.0.AgentPackageMonitoring.exe.1ed83a60000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 57.0.AgentPackageInternalPoller.exe.1c501d30000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 12.0.AteraAgent.exe.16037b30000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 49.0.AgentPackageTicketing.exe.2b19e260000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 65.0.AgentPackageADRemote.exe.1a26f540000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 58.0.AgentPackageOsUpdates.exe.1ebdeb30000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 52.2.AgentPackageProgramManagement.exe.21744630000.2.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 18.0.AgentPackageAgentInformation.exe.1f8fa9c0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0000003A.00000002.2517634081.000001EBDEE90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000018.00000002.1946436379.000001E528A6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000C.00000002.1818118229.00000160398AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.0000021745187000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2835769180.000002BB77438000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000012.00000002.1936814285.000001F8FACC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2496479736.000002BB007BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002E.00000002.2633106331.000002788D8E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000030.00000002.2325133907.000001C1B129E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000021.00000000.1966284128.000001545D092000.00000002.00000001.01000000.0000001B.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000018.00000002.1946436379.000001E528A30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000C.00000002.1816839322.0000016037CFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003A.00000002.2496732047.000001EBDEC52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002E.00000002.2633277895.000002788D8F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1935279763.0000024147522000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.000002174505E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000041.00000002.2456395472.000001A26F6A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2624009560.000001FC5B346000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002A.00000002.3294930991.000001A3681B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2253518610.0000024DE1C0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000030.00000002.2325133907.000001C1B1260000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000039.00000002.2442123567.000001C5028DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1933971482.00000241472DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2253518610.0000024DE15A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002E.00000002.2624742661.000002788D295000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2624009560.000001FC5AEFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2496479736.000002BB00363000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2911735607.000001FC74418000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.00000217450EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000039.00000002.2424358574.000001C501FBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2221998261.00000158A1873000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2927378013.000001FC745CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000018.00000002.1947505534.000001E528D90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000C.00000002.1819496130.000001605234E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2496479736.000002BB006C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000023.00000002.2034867857.000001ED83B50000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2912569582.000001FC7442D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1933971482.00000241472A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000041.00000002.2422079840.000001A20014D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002E.00000002.2633277895.000002788D93C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2312265733.0000024DF9E20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000C.00000002.1818118229.0000016039956000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2476942681.000000EA43755000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000039.00000002.2440232590.000001C5021B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2837469028.0000021744048000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000003.1764369780.0000000004775000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2215343760.00000158A0D56000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1933971482.0000024147327000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2253518610.0000024DE18CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000023.00000002.2067956836.000001ED9CC50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000039.00000002.2495587234.000001C51AF36000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.3110287601.000002175D057000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000018.00000002.1946436379.000001E528AB2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000025.00000002.2145934957.000001CA2595C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000C.00000002.1817843948.0000016037EE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000012.00000002.1935576115.000001F8FABFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002A.00000002.3304711756.000001A369205000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003A.00000002.2679052691.000001EBF7C50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000039.00000002.2495587234.000001C51AF12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002A.00000002.3294930991.000001A368234000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000012.00000002.1935576115.000001F8FABB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000038.00000003.2348129433.000000000478E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.000002174501F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002E.00000002.2633277895.000002788D900000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2624009560.000001FC5B38B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000C.00000002.1816839322.0000016037D33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000036.00000003.2465322918.000001F656053000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000041.00000002.2422079840.000001A200001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000C.00000002.1818118229.000001603987C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2253518610.0000024DE193E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000018.00000002.1947570429.000001E529201000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2253518610.0000024DE1840000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2588694913.000001FC5A300000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2248215569.0000024DE0CB0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2496479736.000002BB00570000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2496479736.000002BB00859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2496479736.000002BB00543000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002E.00000000.2278180476.000002788CF62000.00000002.00000001.01000000.00000027.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003A.00000002.2532274938.000001EBDF751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000C.00000002.1816839322.0000016037D14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000039.00000002.2442123567.000001C5028D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000021.00000002.2533787286.000001545D18D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2313031801.0000024DF9EBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000021.00000002.2533787286.000001545D210000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2253518610.0000024DE1D68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.0000021744F89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2496479736.000002BB00658000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000039.00000002.2424358574.000001C501F76000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2221998261.00000158A17AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000021.00000002.2565106208.000001545D981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002A.00000002.3294930991.000001A3681ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000021.00000002.2565106208.000001545DA83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000030.00000002.2325133907.000001C1B127B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002A.00000002.3320326634.000001A3693DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2248265450.0000024DE0CC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003A.00000002.2520013020.000001EBDEFA2000.00000002.00000001.01000000.00000041.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000021.00000002.2563220552.000001545D430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000039.00000002.2442123567.000001C5026BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2215343760.00000158A0D30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2886193148.000001FC73417000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000025.00000002.2145934957.000001CA25973000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2253518610.0000024DE197E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2624009560.000001FC5B200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000039.00000002.2442123567.000001C5028E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2221305797.00000158A0FD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000039.00000002.2424358574.000001C501F3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000031.00000000.2306992769.000002B19E262000.00000002.00000001.01000000.00000028.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000041.00000000.2371571451.000001A26F542000.00000002.00000001.01000000.00000033.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2239414816.00000158B9F70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000023.00000002.2067956836.000001ED9CC6A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2592491990.000001FC5A4DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2624009560.000001FC5B305000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2253518610.0000024DE1C45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000C.00000002.1819496130.00000160522F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.0000021745162000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2496479736.000002BB00664000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000C.00000000.1785622783.0000016037B32000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2496479736.000002BB003F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000039.00000002.2442123567.000001C5028E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002E.00000002.2650363249.000002788DCB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000041.00000002.2474043015.000001A26F8E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000C.00000002.1819467626.00000160522E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2624009560.000001FC5B0B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000023.00000002.2035764430.000001ED83D73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000018.00000002.1946436379.000001E528A38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003C.00000002.2431955997.000001C800001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000004.00000002.1761638743.0000000004831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000027.00000002.2144138281.000001B0827E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.000002174504F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000012.00000002.1933854948.000001F880001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000C.00000002.1818118229.00000160398B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1935801016.0000024147AE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002A.00000002.3268267011.00000089AA6F3000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003A.00000002.2532274938.000001EBDF800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2611838691.000001FC5A6B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2834800386.000002BB773B0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002A.00000002.3301700390.000001A3683D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003A.00000002.2532274938.000001EBDFB3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002E.00000002.2623033355.000002788D230000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002C.00000002.3105566513.0000027DFD980000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000023.00000000.1997512285.000001ED83A62000.00000002.00000001.01000000.0000001D.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000036.00000002.2586431784.000001F65605C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000023.00000002.2035764430.000001ED83DBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1935801016.0000024147AB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2253518610.0000024DE1BD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000030.00000002.2325133907.000001C1B1268000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003A.00000002.2532274938.000001EBDFB2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2910975285.000001FC74405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1935801016.0000024147A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2253518610.0000024DE1C6B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000039.00000002.2495587234.000001C51AEBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000030.00000002.2497493023.000001C1B14E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002E.00000002.2601763540.000002788D124000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000039.00000002.2442123567.000001C502818000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003C.00000002.2468147343.000001C876852000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000036.00000003.2578412529.000001F655690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000036.00000003.2583703550.000001F65605A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003A.00000002.2532274938.000001EBDF899000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000025.00000003.2077592708.000001CA25BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2837469028.0000021743F69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2865906697.000002BB77B90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2253518610.0000024DE18C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2496479736.000002BB00064000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003A.00000000.2357284880.000001EBDEB32000.00000002.00000001.01000000.00000031.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.0000021744E77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2592491990.000001FC5A4A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2835769180.000002BB77430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002E.00000002.2633277895.000002788D8E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2253518610.0000024DE1881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2253518610.0000024DE15D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000023.00000002.2035764430.000001ED83D30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000041.00000002.2456395472.000001A26F6EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.0000021745093000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1935677168.0000024147600000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.0000021744E14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003A.00000002.2489207927.0000009077637000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2253518610.0000024DE1551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003A.00000002.2532274938.000001EBDF71D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000C.00000002.1818118229.000001603996C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002A.00000002.3294930991.000001A3681B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2835769180.000002BB774EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2624009560.000001FC5AF57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2315411123.0000024DFA36B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2592491990.000001FC5A4A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000039.00000002.2442123567.000001C5026C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003A.00000002.2532274938.000001EBDF7AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.0000021744EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2315411123.0000024DFA2CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2837469028.0000021743F9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2221998261.00000158A1842000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2221998261.00000158A1687000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002E.00000002.2650363249.000002788DCA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1938279305.00000241603F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.0000021744E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2624009560.000001FC5B391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000004.00000003.1730020662.000000000468A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2624009560.000001FC5AC61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002E.00000002.2650363249.000002788DB9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2592491990.000001FC5A523000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003C.00000002.2485637153.000001C876A00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003C.00000002.2468147343.000001C87685A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2835769180.000002BB7746E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000041.00000002.2456395472.000001A26F66C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003A.00000002.2532274938.000001EBDF616000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2835769180.000002BB774B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000021.00000002.2533787286.000001545D1C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.3116637604.000002175D0B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2241925591.00000158BA00D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000025.00000002.2145934957.000001CA25950000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000010.00000002.1867277939.0000000005374000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002E.00000002.2601763540.000002788D1CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2496479736.000002BB0093B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000041.00000002.2422079840.000001A2001C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003A.00000002.2496732047.000001EBDEC10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2315411123.0000024DFA3AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000036.00000003.2467407299.000001F656054000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000036.00000003.2583851515.000001F6556E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000C.00000002.1818118229.00000160398A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000030.00000002.2498898413.000001C1B1BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000C.00000002.1816839322.0000016037D80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.000002174519F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2837469028.0000021743FAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000021.00000002.2565106208.000001545D9FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1933971482.00000241472BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000036.00000002.2585701035.000001F6556F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.3122924475.000002175D2FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.0000021745115000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2221998261.00000158A1907000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2315411123.0000024DFA2E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000025.00000002.2146266932.000001CA25BA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.00000217451AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000C.00000002.1816839322.0000016037D1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000010.00000002.1867277939.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000018.00000002.1947570429.000001E529279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000000.2315651131.0000021743E12000.00000002.00000001.01000000.0000002A.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000039.00000000.2350687897.000001C501D32000.00000002.00000001.01000000.0000002E.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002E.00000002.2601763540.000002788D121000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2905521031.000002BB78886000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2215343760.00000158A0D4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003C.00000002.2468147343.000001C87689E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003C.00000002.2468147343.000001C876810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000023.00000002.2077760783.000001ED9DCE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003A.00000002.2532274938.000001EBDF6DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2253518610.0000024DE19BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000012.00000002.1935576115.000001F8FAB70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2253518610.0000024DE1981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003A.00000002.2532274938.000001EBDF787000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002A.00000002.3270482818.000001A300047000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.3122924475.000002175D344000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000039.00000002.2424358574.000001C501F30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2905521031.000002BB788AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000023.00000002.2077518560.000001ED9DAD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003A.00000002.2532274938.000001EBDF6D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2495241586.000000EA45C31000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.3121773067.00007FFDF3519000.00000004.00000001.01000000.0000001E.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003C.00000002.2482061773.000001C876972000.00000002.00000001.01000000.00000039.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.0000021745034000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.000002174507E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2592491990.000001FC5A4BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.0000021744BFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000036.00000003.2583539507.000001F6556DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000C.00000002.1816839322.0000016037CF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003C.00000002.2431955997.000001C80014E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.00000217450D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000023.00000002.2044058758.000001ED83F80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000C.00000002.1818118229.00000160397F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1933971482.00000241472EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000C.00000002.1818118229.0000016039879000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2327854230.0000024DFA6F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2315411123.0000024DFA280000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2215343760.00000158A0D9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000041.00000002.2456395472.000001A26F660000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000041.00000002.2472321285.000001A26F8A2000.00000002.00000001.01000000.00000036.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2221998261.00000158A1845000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000036.00000003.2531631430.000001F655690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2315411123.0000024DFA310000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2221998261.00000158A15F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000C.00000002.1818118229.00000160398A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000021.00000002.2715960566.00000154762D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.3122924475.000002175D37C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002A.00000002.3270482818.000001A300001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000C.00000002.1820519891.00007FFD9B484000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002E.00000002.2650363249.000002788DA21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2253518610.0000024DE1C0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2242497142.000000E0BC395000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2837469028.0000021743FE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000021.00000002.2565106208.000001545DBD2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000012.00000002.1935576115.000001F8FAC5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2864074099.000002BB77690000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2834001359.0000001BC8479000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.0000021744E19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000021.00000002.2533787286.000001545D180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000039.00000002.2442123567.000001C5026A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000004.00000002.1761638743.00000000048D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2837469028.0000021743F60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002A.00000002.3320326634.000001A3693B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2624009560.000001FC5AEF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000039.00000002.2424358574.000001C501F70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.0000021744AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2248265450.0000024DE0D46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000023.00000002.2102604614.00007FFDEE579000.00000004.00000001.01000000.0000001E.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000018.00000002.1946436379.000001E528A4F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000030.00000002.2325133907.000001C1B12E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000041.00000002.2456395472.000001A26F74A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2315411123.0000024DFA309000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.0000021744DF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.00000217448B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002E.00000002.2601763540.000002788D0E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002E.00000002.2627082966.000002788D8A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002A.00000002.3270482818.000001A300252000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2496479736.000002BB00954000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2238773716.00000158B9F3F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.0000021744E02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2496479736.000002BB009A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2496479736.000002BB00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2624009560.000001FC5B121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2253518610.0000024DE17F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2496479736.000002BB00560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2910820761.000001FC74207000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2315411123.0000024DFA2FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000003.00000003.1719314198.0000000004960000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2624009560.000001FC5B354000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000023.00000002.2045546102.000001ED8458F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000036.00000003.2583794059.000001F6556EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002C.00000002.3105566513.0000027DFD983000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1933971482.00000241472A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2253518610.0000024DE1BF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000023.00000002.2045546102.000001ED844A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000039.00000002.2442123567.000001C5028DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2248265450.0000024DE0CFD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2248265450.0000024DE0D1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000041.00000002.2456395472.000001A26F748000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2886193148.000001FC73474000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000041.00000002.2422079840.000001A20039C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003A.00000002.2496732047.000001EBDEC9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.0000021745014000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2313031801.0000024DF9EA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2496479736.000002BB00845000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000036.00000003.2583338446.000001F656054000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003A.00000002.2496732047.000001EBDEC5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000C.00000002.1818118229.0000016039922000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2881869825.000002174513D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2496479736.000002BB004AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000010.00000003.1823152124.0000000004DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2865906697.000002BB77BE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003A.00000002.2496732047.000001EBDEC1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000023.00000002.2045546102.000001ED84A76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000023.00000002.2043360173.000001ED83F12000.00000002.00000001.01000000.0000001F.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000023.00000002.2077965051.000001ED9DDC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000023.00000002.2035764430.000001ED83D7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000023.00000002.2077564694.000001ED9DCD5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2624009560.000001FC5AD4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2624009560.000001FC5B35E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2624009560.000001FC5B261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003C.00000002.2468147343.000001C87681C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2835908995.0000021743EE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003E.00000002.2912330949.000001FC74429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2252023441.0000024DE0F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2496479736.000002BB006EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.3110287601.000002175D030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002E.00000002.2596216514.000000D011593000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000012.00000000.1900225335.000001F8FA9C2000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000036.00000002.2586431784.000001F656054000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2496479736.000002BB00454000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000030.00000002.2498898413.000001C1B1C73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2496479736.000002BB006AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002A.00000002.3270482818.000001A300079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002E.00000002.2601763540.000002788D16D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000041.00000002.2476921845.000001A270620000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000036.00000002.2585618357.000001F6556EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2215343760.00000158A0D10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2221998261.00000158A1870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002A.00000002.3270482818.000001A30010C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000034.00000002.2863025472.0000021744632000.00000002.00000001.01000000.0000004F.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001F.00000002.1996079006.000001FC0022A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000036.00000003.2465446659.000001F656054000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000021.00000002.2533787286.000001545D1CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001F.00000002.2051822058.000001FC68120000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001A.00000002.2496479736.000002BB0022F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003C.00000002.2487819435.000001C877860000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000D.00000002.2253518610.0000024DE1992000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000021.00000002.2565106208.000001545DA91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003A.00000002.2679052691.000001EBF7CCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000003A.00000002.2532274938.000001EBDF541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000012.00000002.1933854948.000001F880079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000002C.00000002.2324809347.0000027D8022B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7676, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7732, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7828, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 8064, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 7264, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7424, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7864, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7832, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 8148, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 2936, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 2476, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1148, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageSTRemote.exe PID: 7532, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageMonitoring.exe PID: 3940, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 7952, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: cscript.exe PID: 7984, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 6440, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7180, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageUpgradeAgent.exe PID: 7912, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageUpgradeAgent.exe PID: 412, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageTicketing.exe PID: 1284, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageProgramManagement.exe PID: 2692, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 6024, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4144, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageInternalPoller.exe PID: 980, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageOsUpdates.exe PID: 7828, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageHeartbeat.exe PID: 5516, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageMonitoring.exe PID: 5236, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageADRemote.exe PID: 5172, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Windows\Temp\~DF19F6CA16E441F4BA.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF1F0D1A244819E315.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Config.Msi\55a386.rbs, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSICE75.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF81AEDB3E98009857.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF49FA946339BE9BCC.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\01-14-2025 13_35_11-log.txt, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF47CDAC368E11675F.TMP, type: DROPPED
                              Source: Yara matchFile source: dropped/ConDrv, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF77A6D6044EE2AC8F.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF81DFFBC662D7CE7C.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSICC22.tmp, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF52C85AFF5223CE4F.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\AteraSetupLog.txt, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF5DB8468F6DFC9E15.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF98B9107F6CB6DD2C.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\01-14-2025 13_35_10-log.txt, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DFB7F7F9B5484A5620.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DFCCA859E58D57E570.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF44D96E07E9A5473B.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF031E6A2EADC2E3D5.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DFB1D180C23304AF6D.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DFEDCD4683FFA3EC74.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF91ECC3DB25A02C27.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DFE500805D605C1849.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSIB77D.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF3DDFFD3B292A498A.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_8.0.11_(x64)_20250114133539_001_dotnet_hostfxr_8.0.11_win_x64.msi.log, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DFA6283C77C981C69E.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF0FC8039C7B9CAF59.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF572CE684DC65C7EA.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\choco.summary.log, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF70522A7512B0DF53.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF70E7F98A2CC68928.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF54AC50259F651B2F.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DFAB3CC1A7EA685EE1.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DFE4C71D847951C502.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSI99A5.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSIA4ED.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_8.0.11_(x64)_20250114133539_002_dotnet_host_8.0.11_win_x64.msi.log, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DFDCDFD0CB2A31DA77.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Config.Msi\55a38b.rbs, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF505B9DA8AB49E8F7.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF754BD4A196221961.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_8.0.11_(x64)_20250114133539_000_dotnet_runtime_8.0.11_win_x64.msi.log, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSIA82A.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSIE7CC.tmp, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF79A08EE260C65CD3.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF50DDB4410769EE1D.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF03DAE23EAFCC3585.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSIBA1E.tmp, type: DROPPED
                              Source: Yara matchFile source: C:\Config.Msi\55a393.rbs, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DFE621A4F0D30A8591.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DFA6E424478D76B90E.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF330515E7C2838D1E.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE42B9F0 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_snprintf,OutputDebugStringA,35_2_00007FFDEE42B9F0

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity Information1
                              Scripting                              		1
                              Replication Through Removable Media                              		641
                              Windows Management Instrumentation                              		1
                              Scripting                              		1
                              DLL Side-Loading                              		21
                              Disable or Modify Tools                              		OS Credential Dumping2
                              System Time Discovery                              		Remote Services1
                              Archive Collected Data                              		2
                              Encrypted Channel                              		Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomainsDefault Accounts1
                              Native API                              		1
                              DLL Side-Loading                              		22
                              Windows Service                              		1
                              Deobfuscate/Decode Files or Information                              		LSASS Memory11
                              Peripheral Device Discovery                              		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain Accounts2
                              Command and Scripting Interpreter                              		22
                              Windows Service                              		111
                              Process Injection                              		4
                              Obfuscated Files or Information                              		Security Account Manager3
                              File and Directory Discovery                              		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal Accounts11
                              Scheduled Task/Job                              		11
                              Scheduled Task/Job                              		11
                              Scheduled Task/Job                              		1
                              Software Packing                              		NTDS265
                              System Information Discovery                              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud Accounts11
                              Service Execution                              		Network Logon ScriptNetwork Logon Script1
                              Timestomp                              		LSA Secrets1
                              Query Registry                              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                              DLL Side-Loading                              		Cached Domain Credentials791
                              Security Software Discovery                              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                              File Deletion                              		DCSync1
                              Process Discovery                              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job123
                              Masquerading                              		Proc Filesystem381
                              Virtualization/Sandbox Evasion                              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                              Modify Registry                              		/etc/passwd and /etc/shadow1
                              Application Window Discovery                              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron381
                              Virtualization/Sandbox Evasion                              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd111
                              Process Injection                              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                              Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                              Rundll32                              		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1591190 Sample: XML-702.msi Startdate: 14/01/2025 Architecture: WINDOWS Score: 100 151 Malicious sample detected (through community Yara rule) 2->151 153 Multi AV Scanner detection for dropped file 2->153 155 Multi AV Scanner detection for submitted file 2->155 157 10 other signatures 2->157 8 AteraAgent.exe 2->8         started        13 msiexec.exe 501 422 2->13         started        15 AteraAgent.exe 2->15         started        17 4 other processes 2->17 process3 dnsIp4 145 13.35.58.104 AMAZON-02US United States 8->145 93 C:\...\System.Management.dll, PE32 8->93 dropped 95 C:\...95ewtonsoft.Json.dll, PE32 8->95 dropped 97 C:\...\Microsoft.Win32.TaskScheduler.dll, PE32 8->97 dropped 105 270 other malicious files 8->105 dropped 167 Installs Task Scheduler Managed Wrapper 8->167 19 AgentPackageProgramManagement.exe 8->19         started        24 AgentPackageUpgradeAgent.exe 8->24         started        34 8 other processes 8->34 99 C:\Windows\Installer\MSIEEE5.tmp, PE32 13->99 dropped 101 C:\Windows\Installer\MSICE75.tmp, PE32 13->101 dropped 103 C:\Windows\Installer\MSIC422.tmp, PE32 13->103 dropped 107 272 other files (263 malicious) 13->107 dropped 26 msiexec.exe 13->26         started        28 AteraAgent.exe 13->28         started        36 2 other processes 13->36 147 13.35.58.7 AMAZON-02US United States 15->147 149 35.157.63.227 AMAZON-02US United States 15->149 109 31 other malicious files 15->109 dropped 169 Creates files in the system32 config directory 15->169 171 Reads the Security eventlog 15->171 173 Reads the System eventlog 15->173 30 AgentPackageAgentInformation.exe 15->30         started        38 6 other processes 15->38 32 conhost.exe 17->32         started        file5 signatures6 process7 dnsIp8 139 2 other IPs or domains 19->139 87 15 other malicious files 19->87 dropped 159 Creates files in the system32 config directory 19->159 40 conhost.exe 19->40         started        131 20.60.197.1 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->131 75 C:\...\System.ValueTuple.dll, PE32 24->75 dropped 77 C:\Program Files (x86)\...\Pubnub.dll, PE32 24->77 dropped 79 C:\...79ewtonsoft.Json.dll, PE32 24->79 dropped 89 4 other malicious files 24->89 dropped 48 2 other processes 24->48 42 rundll32.exe 26->42         started        50 3 other processes 26->50 141 3 other IPs or domains 28->141 91 2 other malicious files 28->91 dropped 161 Reads the Security eventlog 28->161 163 Reads the System eventlog 28->163 46 powershell.exe 30->46         started        53 2 other processes 30->53 133 40.113.176.130 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 34->133 135 172.202.80.17 IFX18747US United States 34->135 137 2.16.168.196 AKAMAI-ASN1EU European Union 34->137 81 C:\...\TicketingTray.exe (copy), PE32 34->81 dropped 83 C:\Program Files (x86)\...\log.txt, ASCII 34->83 dropped 165 Queries disk data (e.g. SMART data) 34->165 55 9 other processes 34->55 57 3 other processes 36->57 143 2 other IPs or domains 38->143 85 C:\Windows\Temp\SplashtopStreamer.exe, PE32 38->85 dropped 59 6 other processes 38->59 file9 signatures10 process11 dnsIp12 111 C:\...\AlphaControlAgentInstallation.dll, PE32 42->111 dropped 113 C:\Windows\...\System.Management.dll, PE32 42->113 dropped 123 2 other files (none is malicious) 42->123 dropped 175 System process connects to network (likely due to code injection or exploit) 42->175 177 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 46->177 179 Loading BitLocker PowerShell Module 46->179 61 conhost.exe 46->61         started        129 40.119.152.241 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 50->129 115 C:\...\AlphaControlAgentInstallation.dll, PE32 50->115 dropped 117 C:\...\AlphaControlAgentInstallation.dll, PE32 50->117 dropped 119 C:\...\AlphaControlAgentInstallation.dll, PE32 50->119 dropped 125 9 other files (none is malicious) 50->125 dropped 63 conhost.exe 53->63         started        65 cscript.exe 53->65         started        67 conhost.exe 55->67         started        121 C:\...\AlphaControlAgentInstallation.dll, PE32 57->121 dropped 127 3 other files (none is malicious) 57->127 dropped 69 conhost.exe 57->69         started        71 net1.exe 57->71         started        73 conhost.exe 57->73         started        file13 signatures14 process15

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand

                              Antivirus, Machine Learning and Genetic Malware Detection

                              Initial Sample

                              SourceDetectionScannerLabelLink
                              XML-702.msi29%ReversingLabsWin32.Trojan.Atera

                              Dropped Files

                              SourceDetectionScannerLabelLink
                              55a38c.rbf (copy)26%ReversingLabsWin32.PUA.Atera
                              55a38c.rbf (copy)28%VirustotalBrowse
                              55a38e.rbf (copy)0%ReversingLabs
                              55a38e.rbf (copy)0%VirustotalBrowse
                              55a38f.rbf (copy)0%ReversingLabs
                              55a38f.rbf (copy)0%VirustotalBrowse
                              55a390.rbf (copy)0%ReversingLabs
                              55a390.rbf (copy)0%VirustotalBrowse
                              55a391.rbf (copy)0%ReversingLabs
                              55a391.rbf (copy)0%VirustotalBrowse
                              55a392.rbf (copy)0%ReversingLabs
                              55a392.rbf (copy)0%VirustotalBrowse
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe26%ReversingLabsWin32.PUA.Atera
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe28%VirustotalBrowse
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll0%VirustotalBrowse
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll0%VirustotalBrowse
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll0%VirustotalBrowse
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dll0%VirustotalBrowse
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe0%VirustotalBrowse
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll0%VirustotalBrowse
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.Extensions.ManagedClient.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.Extensions.ManagedClient.dll0%VirustotalBrowse
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.dll0%VirustotalBrowse
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Abstractions.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Abstractions.dll0%VirustotalBrowse
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dll0%VirustotalBrowse
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.CommandLine.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.CommandLine.dll0%VirustotalBrowse
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dll0%VirustotalBrowse
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.FileExtensions.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.FileExtensions.dll0%VirustotalBrowse
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Json.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Json.dll0%VirustotalBrowse

                              Unpacked PE Files

                              No Antivirus matches

                              Domains

                              No Antivirus matches

                              URLs

                              No Antivirus matches

                              Domains and IPs

                              Contacted Domains

                              No contacted domains info

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://www.oracle.com/technetwork/java/javase/terms/license/index.htmlAgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpfalse
                                https://community.chocolatey.org/api/v2/package/javaruntime-platformspecific/7.0.79.20161125AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                  https://community.chocolatey.org/api/v2/package/server-jre/8.0.192AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpfalse
                                    https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zipAteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      https://community.chocolatey.org/api/v2/package/jre8/8.0.431AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                        http://schemas.datacontract.orgAteraAgent.exe, 0000000C.00000002.1818118229.00000160398B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                          https://community.chocolatey.org/packages/asciidoctorj/2.5.13AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                            https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zipAteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                              https://github.com/adoptium/jdk8u/blob/master/LICENSEAgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                https://community.chocolatey.org/packages/checksum.AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpfalse
                                                  https://adoptopenjdk.net/AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=742973a8-ddca-4ef6-a73b-0cd081e77234AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1720000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      https://chocolatey.org/contact.AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpfalse
                                                        https://nlog-project.org/AgentPackageMonitoring.exe, 00000023.00000002.2071961959.000001ED9CE32000.00000002.00000001.01000000.00000024.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2074018248.000001ED9CF08000.00000002.00000001.01000000.00000024.sdmpfalse
                                                          https://agent-api.atera.com/Production/Agent/track-eventrundll32.exe, 00000004.00000002.1761638743.0000000004831000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1761638743.00000000048D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1867277939.0000000005374000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1867277939.00000000052D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESTREMOTE/24.3/AGENTPACKAGESTREMOTE.ZIPAteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              https://community.chocolatey.org/packages/checksum)AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpfalse
                                                                http://stackoverflow.com/questions/265339/whats-the-best-way-to-automate-secure-ftp-in-powershellAgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpfalse
                                                                  https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.25%2B9/OpenJDK11U-jre_x64_AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    http://openjdk.java.net/legal/AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      http://ca.disig.sk/ca/crl/ca_disig.crl0AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9EBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        http://schemas.datacontract.org/2004/07/System.ServiceProcessAteraAgent.exe, 0000000C.00000002.1818118229.00000160398B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          https://wiki.openjdk.java.net/display/JDKUpdates/JDK11uAgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            https://my.splashtop.com/csrs/winAgentPackageSTRemote.exe, 00000021.00000000.1966284128.000001545D092000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DA91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              http://www.disig.sk/ca/crl/ca_disig.crl0AteraAgent.exe, 0000000D.00000002.2313031801.0000024DF9EBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.ZAteraAgent.exe, 0000001A.00000002.2496479736.000002BB0022F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  https://chocommunity.atera.com/api/v2/Search()?$filter=IsApproved%20and%20IsLatestVersion&$orderby=DAgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744EC0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.00000217451AE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744BFE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstallerAteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      https://agent-api.atera.com/Production/Agent/dynamic-fields/AgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A1873000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        http://my.splashtop.comAgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DB2A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip?Hy/oAteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            https://cdn.statically.io/gh/asciidoctor/brand/b9cf5e27/logo/logo-fill-color.svgAgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              https://download.splashtop.com/csrs/Splashtop_Streamer_Win_DEPLOY_INSTALLER_v3.7.2.4.exeAgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DB2A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DB4B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DB4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                https://somewhere/bob.exeAgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpfalse
                                                                                                  https://community.chocolatey.org/api/v2/8AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021745162000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.00000217448B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      https://asciidoctor.zulipchat.com/AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        https://www.nuget.org/packages/NLog.Web.AspNetCoreAgentPackageMonitoring.exe, 00000023.00000002.2071961959.000001ED9CE32000.00000002.00000001.01000000.00000024.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2074018248.000001ED9CF08000.00000002.00000001.01000000.00000024.sdmpfalse
                                                                                                          https://josm.openstreetmap.de/download/windows/josm-setup-19277-java21.exeAgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            https://community.chocolatey.org/packages/javaruntime/8.0.431AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              http://www.jrsoftware.org/ishelp/index.php?topic=setupexitcodesAgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpfalse
                                                                                                                https://rawcdn.githack.com/ajshastri/chocolatey-packages/a698d21b3c63b9ff7e01f442f37cdb7ecf89925a/icAgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744A95000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.8/AgentPackageSTRemote.ziphAteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    https://josm.openstreetmap.de/reportAgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7369b44b-3c8c-44f9-9a12-59fb2620d6a4AteraAgent.exe, 0000001A.00000002.2496479736.000002BB0051B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesTAgentPackageMonitoring.exe, 00000023.00000002.2071961959.000001ED9CE32000.00000002.00000001.01000000.00000024.sdmpfalse
                                                                                                                          https://ps.atera.com/aAteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            https://urn.to/r/sds_seeAgentPackageMonitoring.exe, 00000023.00000002.2075944227.000001ED9CFD2000.00000002.00000001.01000000.00000026.sdmpfalse
                                                                                                                              http://stexbar.googlecode.com/files/StExBar-1.8.3.msiAgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpfalse
                                                                                                                                https://docs.aws.amazon.com/corretto/AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/24.3/AgentPackageSTRemote.ziphAteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    https://my.splashtop.comAgentPackageSTRemote.exe, 00000021.00000002.2565106208.000001545DB11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      https://somewhere/bob-x64.exeAgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpfalse
                                                                                                                                        https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/129f3953AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00521000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB00529000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          https://community.chocolatey.org/package/ReportAbuse/openjdk11jre/11.0.16.20220913AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            http://www.abit.com.tw/AgentPackageMonitoring.exe, 00000023.00000002.2066515114.000001ED9CBB2000.00000002.00000001.01000000.00000021.sdmp, AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5AD4A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003E.00000002.2624009560.000001FC5B261000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              https://agent-api.atera.com/Production/Agent/dynamic-fields/script-basedxD/AgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A15F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                https://chocolatey.org/packages/adoptopenjdkjre):AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  https://community.chocolatey.org/package/ReportAbuse/javaruntime-platformspecific/7.0.79.20161125AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/2.0/Agent.Package.Watchdog.zipAteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      https://ps.pndsn.com/vAteraAgent.exe, 0000001A.00000002.2496479736.000002BB00529000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        https://github.com/rgra/choco-packages/tree/master/server-jre8AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            https://agent-api.atera.com/Production/Agent/thresholds/129f3953-acb3-4c59-97d2-68ee1acc4037AgentPackageMonitoring.exe, 00000023.00000002.2045546102.000001ED8458F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              https://community.chocolatey.org/api/v2/package/openjdk8jre/8.342.07.20220913portAgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                https://agent-api.PAgentPackageAgentInformation.exe, 0000001D.00000002.2221998261.00000158A1873000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  http://www.w3.oAteraAgent.exe, 0000000C.00000002.1818118229.00000160398B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    https://www.jetbrains.com/teamcity/documentation/AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      http://mail.openjdk.java.net/mailman/listinfoAgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        https://community.chocolatey.org/package/ReportAbuse/server-jre/8.0.192AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          https://ps.pndsn.com/v2/subscribAteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            https://github.com/chocolatey/chocolatey-coreteampackagesAgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zipAteraAgent.exe, 0000000D.00000002.2253518610.0000024DE15CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                https://github.com/majkinetor/au-packages/commit/bf95d56fe5851ee2e4f6f15f79c1a2877a7950a1AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpfalse
                                                                                                                                                                                  https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 0000001F.00000002.1996079006.000001FC019A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1996079006.000001FC00E63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1996079006.000001FC019C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2324809347.0000027D80E89000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2324809347.0000027D819C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2324809347.0000027D8199F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    https://github.com/nlog/NLog/wiki/Configuration-file#variablesAteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      https://community.chocolatey.org/packages/teamcity/2024.12.0AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        https://asciidoctor.org/docs/user-manual/AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          https://ps.atera.comoupsAteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            https://github.com/chocolatey/shimgen/tree/master/shim.AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpfalse
                                                                                                                                                                                              https://community.chocolatey.org/packages/openjdk8jre/8.342.07.20220913AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                https://github.com/proudcanadianeh/ChocoPackages/tree/master/jre8/masterAgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/38.1/AgentPackageMonitoring.zip?Hy/oLAteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.6/AgentPackageMonitoring.ziAteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE19A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      https://agent-api.atera.com/Production/Agent/TraceAteraAgent.exe, 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.zAteraAgent.exe, 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          http://www.datev.de/zertifikat-policy-bt0AteraAgent.exe, 0000000D.00000002.2327854230.0000024DFA6F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.5%2B11/OpenJDK21U-jre_x64_AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              https://community.chocolatey.org/packages/TeamCity-PreinstalledJRE)AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                https://ps.atera.com/agentpackagesneAteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  http://poshcode.org/417AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpfalse
                                                                                                                                                                                                                    https://github.com/IdealChain/chocolatey-packages/tree/master/josmAgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 0000001F.00000002.2060214065.000001FC690E5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        http://stackoverflow.com/a/13571471/18475AgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpfalse
                                                                                                                                                                                                                          https://bugs.openjdk.java.net/edAgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            https://switchbar.com/AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744AED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744C9B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744BFE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.000002175493E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744A99000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744AF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              https://github.com/proudcanadianeh/ChocoPackages/tree/master/jre8/master)AgentPackageProgramManagement.exe, 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000034.00000002.3079612703.0000021754A20000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                https://docs.chocolatey.org/en-us/guides/create/parse-packageparameters-argument#step-3---use-core-cAgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpfalse
                                                                                                                                                                                                                                  http://cdn.rubyinstaller.org/archives/devkits/DevKit-mingw64-64-4.7.2-20130224-1432-sfx.exeAgentPackageProgramManagement.exe, 00000034.00000002.3136325966.000002175D822000.00000002.00000001.01000000.00000055.sdmpfalse
                                                                                                                                                                                                                                    https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=5cb343d0-677e-4def-8b2c-a922c1821ed6AteraAgent.exe, 0000000D.00000002.2253518610.0000024DE1600000.00000004.00000800.00020000.00000000.sdmpfalse

                                                                                                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                                                                                                      Public IPs

                                                                                                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                      40.119.152.241
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                                                                                                                                                                      2.17.190.73
                                                                                                                                                                                                                                      		unknownEuropean Union
                                                                                                                                                                                                                                      		16625AKAMAI-ASUSfalse
                                                                                                                                                                                                                                      104.18.20.76
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                      2.16.168.196
                                                                                                                                                                                                                                      		unknownEuropean Union
                                                                                                                                                                                                                                      		20940AKAMAI-ASN1EUfalse
                                                                                                                                                                                                                                      52.223.39.232
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		8987AMAZONEXPANSIONGBfalse
                                                                                                                                                                                                                                      35.157.63.227
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		16509AMAZON-02USfalse
                                                                                                                                                                                                                                      40.113.176.130
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                                                      13.35.58.31
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		16509AMAZON-02USfalse
                                                                                                                                                                                                                                      172.202.80.17
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		18747IFX18747USfalse
                                                                                                                                                                                                                                      104.18.18.106
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                      13.35.58.104
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		16509AMAZON-02USfalse
                                                                                                                                                                                                                                      2.23.77.188
                                                                                                                                                                                                                                      		unknownEuropean Union
                                                                                                                                                                                                                                      		16625AKAMAI-ASUSfalse
                                                                                                                                                                                                                                      13.35.58.7
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		16509AMAZON-02USfalse
                                                                                                                                                                                                                                      20.60.197.1
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                                                      199.232.210.172
                                                                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                                                                      		54113FASTLYUSfalse

                                                                                                                                                                                                                                      General Information

                                                                                                                                                                                                                                      Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                                                                                                      Analysis ID:1591190
                                                                                                                                                                                                                                      Start date and time:2025-01-14 19:33:10 +01:00
                                                                                                                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                      Overall analysis duration:0h 14m 39s
                                                                                                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                      Report type:full
                                                                                                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                      Number of analysed new started processes analysed:71
                                                                                                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                                                                                                      Technologies:
                                                                                                                                                                                                                                      • HCA enabled
                                                                                                                                                                                                                                      • EGA enabled
                                                                                                                                                                                                                                      • AMSI enabled
                                                                                                                                                                                                                                      Analysis Mode:default
                                                                                                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                                                                                                      Sample name:XML-702.msi
                                                                                                                                                                                                                                      Detection:MAL
                                                                                                                                                                                                                                      Classification:mal100.troj.spyw.evad.winMSI@117/901@0/15
                                                                                                                                                                                                                                      EGA Information:
                                                                                                                                                                                                                                      • Successful, ratio: 14.3%
                                                                                                                                                                                                                                      HCA Information:
                                                                                                                                                                                                                                      • Successful, ratio: 63%
                                                                                                                                                                                                                                      • Number of executed functions: 473
                                                                                                                                                                                                                                      • Number of non-executed functions: 4
                                                                                                                                                                                                                                      Cookbook Comments:
                                                                                                                                                                                                                                      • Found application associated with file extension: .msi

                                                                                                                                                                                                                                      Warnings

                                                                                                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                                      • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 7832 because it is empty
                                                                                                                                                                                                                                      • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 7864 because it is empty
                                                                                                                                                                                                                                      • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 8148 because it is empty
                                                                                                                                                                                                                                      • Execution Graph export aborted for target AgentPackageSTRemote.exe, PID 7532 because it is empty
                                                                                                                                                                                                                                      • Execution Graph export aborted for target AteraAgent.exe, PID 2936 because it is empty
                                                                                                                                                                                                                                      • Execution Graph export aborted for target AteraAgent.exe, PID 7264 because it is empty
                                                                                                                                                                                                                                      • Execution Graph export aborted for target AteraAgent.exe, PID 8064 because it is empty
                                                                                                                                                                                                                                      • Execution Graph export aborted for target powershell.exe, PID 1148 because it is empty
                                                                                                                                                                                                                                      • Execution Graph export aborted for target rundll32.exe, PID 7424 because it is empty
                                                                                                                                                                                                                                      • Execution Graph export aborted for target rundll32.exe, PID 7676 because it is empty
                                                                                                                                                                                                                                      • Execution Graph export aborted for target rundll32.exe, PID 7732 because it is empty
                                                                                                                                                                                                                                      • Execution Graph export aborted for target rundll32.exe, PID 7828 because it is empty
                                                                                                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                                                      • Report size getting too big, too many NtSetValueKey calls found.
                                                                                                                                                                                                                                      • Skipping network analysis since amount of network traffic is too extensive

                                                                                                                                                                                                                                      Simulations

                                                                                                                                                                                                                                      Behavior and APIs

                                                                                                                                                                                                                                      TimeTypeDescription
                                                                                                                                                                                                                                      13:34:10API Interceptor2x Sleep call for process: rundll32.exe modified
                                                                                                                                                                                                                                      13:34:14API Interceptor1460x Sleep call for process: AteraAgent.exe modified
                                                                                                                                                                                                                                      13:34:27API Interceptor36x Sleep call for process: AgentPackageAgentInformation.exe modified
                                                                                                                                                                                                                                      13:34:31API Interceptor56x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                                                      13:34:32API Interceptor465x Sleep call for process: AgentPackageSTRemote.exe modified
                                                                                                                                                                                                                                      13:34:35API Interceptor41x Sleep call for process: AgentPackageMonitoring.exe modified
                                                                                                                                                                                                                                      13:35:10API Interceptor14466x Sleep call for process: AgentPackageTicketing.exe modified
                                                                                                                                                                                                                                      13:35:11API Interceptor788x Sleep call for process: AgentPackageProgramManagement.exe modified
                                                                                                                                                                                                                                      13:35:12API Interceptor28x Sleep call for process: AgentPackageOsUpdates.exe modified
                                                                                                                                                                                                                                      13:35:12API Interceptor12x Sleep call for process: AgentPackageHeartbeat.exe modified
                                                                                                                                                                                                                                      13:35:13API Interceptor1x Sleep call for process: AgentPackageInternalPoller.exe modified
                                                                                                                                                                                                                                      13:35:33API Interceptor7x Sleep call for process: AgentPackageUpgradeAgent.exe modified
                                                                                                                                                                                                                                      18:35:04Task SchedulerRun new task: Monitoring Recovery path: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe s>schedulerrun
                                                                                                                                                                                                                                      18:35:43AutostartRun: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce {e883dae5-a63d-4a45-afb9-257f64d5a59b} "C:\ProgramData\Package Cache\{e883dae5-a63d-4a45-afb9-257f64d5a59b}\dotnet-runtime-8.0.11-win-x64.exe" /burn.runonce
                                                                                                                                                                                                                                      18:36:06Task SchedulerRun new task: AteraAgentServiceWatchdog path: C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe s>eyJBZ2VudElkIjoiMTI5ZjM5NTMtYWNiMy00YzU5LTk3ZDItNjhlZTFhY2M0MDM3IiwiQ29tbWFuZElkIjoiNGViOGIzYWUtM2ExZS00YzdiLWE3ZjMtODg0ZGIyNzIxODk4IiwiQWNjb3VudElkIjoiMDAxUTMwMDAwMDVia0NPSUFZIiwiQWdlbnRBcGlIb3N0IjoiYWdlbnQtYXBpLmF0ZXJhLmNvbS9Qcm9kdWN0aW9uIiwiQXJndW1lbnRzIjoie1x1MDAyMkNvbW1hbmROYW1lXHUwMDIyOlx1MDAyMmhlYWx0aGNoZWNrXHUwMDIyfSIsIkFnZW50RGlyZWN0b3J5IjoiIn0=

                                                                                                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                                                                                                      IPs

                                                                                                                                                                                                                                      No context

                                                                                                                                                                                                                                      Domains

                                                                                                                                                                                                                                      No context

                                                                                                                                                                                                                                      ASNs

                                                                                                                                                                                                                                      No context

                                                                                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                                                                                      No context

                                                                                                                                                                                                                                      Dropped Files

                                                                                                                                                                                                                                      No context

                                                                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                                                                      55a38c.rbf (copy)

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):145968
                                                                                                                                                                                                                                      Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                      MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                      SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                      SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                      SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 26%
                                                                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 28%, Browse
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                      55a38d.rbf (copy)

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1442
                                                                                                                                                                                                                                      Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                      MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                      SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                      SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                      SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                      55a38e.rbf (copy)

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):215088
                                                                                                                                                                                                                                      Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                      MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                      SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                      SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                      SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                      55a38f.rbf (copy)

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):710192
                                                                                                                                                                                                                                      Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                      MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                      SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                      SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                      SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                      55a390.rbf (copy)

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):602672
                                                                                                                                                                                                                                      Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                      MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                      SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                      SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                      SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                      55a391.rbf (copy)

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):73264
                                                                                                                                                                                                                                      Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                      MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                      SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                      SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                      SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                      55a392.rbf (copy)

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):3318832
                                                                                                                                                                                                                                      Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                      MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                      SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                      SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                      SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                      C:\Config.Msi\55a386.rbs

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):8807
                                                                                                                                                                                                                                      Entropy (8bit):5.6578257255575055
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:Qjkxz1ccbTOOeMewi61/7r6IHf/7r6kAVv70HVotBVeZEmzmYpLAV77EXpY92r:QYD2A/p/tiB2iw
                                                                                                                                                                                                                                      MD5:CE3FC5BB35560FACDB404698BF9B69F2
                                                                                                                                                                                                                                      SHA1:3E63E9A7CEB57D51F05F8A55EADECF5CC43D0E0C
                                                                                                                                                                                                                                      SHA-256:89B8A85B67582D348941CB8B7C5ACB9F0ACC3CAAA850D3F068FE9A15FBA31408
                                                                                                                                                                                                                                      SHA-512:35D0EB377A686734D58B14E808D0B0E1F7C02A0023A3EF3C38AD839CF83D1D81B91A22F8FABBF533B204FCCF9D410F45C82EF647AA140E487B8B04E315DDAC64
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\55a386.rbs, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:...@IXOS.@.....@Fl.Z.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..XML-702.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{38F01010-E311-4

                                                                                                                                                                                                                                      C:\Config.Msi\55a38b.rbs

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):9473
                                                                                                                                                                                                                                      Entropy (8bit):5.564887288663419
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:ejkG0cRwbLCsgRKbLCMDp17qEVl0QnLALtyD0qagukGGhaKfmbHt1fmqk8rEcZ:eYER2gREdNKKnqRT
                                                                                                                                                                                                                                      MD5:2C98333678CF2AD42BD34F5402601760
                                                                                                                                                                                                                                      SHA1:B8121159663CE85BEB40BD30DB64BC103C66C53C
                                                                                                                                                                                                                                      SHA-256:F91E0DC5961FDA4DBE88EEC1892CAC1D9C9FD237817DCDFE9D28157B71FB85F6
                                                                                                                                                                                                                                      SHA-512:3378D00BD26E2532606DF1AA72AC0A9A94ED970B24D2FC8356DD8B153D0C8FF7BCC3CAAB94F6EDB6E49C283296F64A543800E9545683EC75AB9A820998A792D7
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\55a38b.rbs, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:...@IXOS.@.....@ll.Z.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..XML-702.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....InstallInitialize$..@....z.Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D0A237E2F2A7564CA141B792446E854\Transforms...@....(.$..@....@.Software\Microsoft\Windows\CurrentVersion\Installer\TempPackages...@....(.&...C:\Windows\Installer\55a387.msi..#0$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D0A237E2F2A7564CA141B792446E854\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... ... ................@....%...AuthorizedCDFPrefix%...Comments%...Contact%...DisplayVersion..1.8.7.2%...HelpLink%...HelpTel

                                                                                                                                                                                                                                      C:\Config.Msi\55a393.rbs

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):8767
                                                                                                                                                                                                                                      Entropy (8bit):5.652591649753629
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:0y7wo+fncHMeI1G6ITG6k7s5VNpkxYpLso:0Po+fncH0GVGtSNpkcP
                                                                                                                                                                                                                                      MD5:884551FAC292B216EAA39A51E3C2B5A7
                                                                                                                                                                                                                                      SHA1:19CE42B58D6B88C51DE7354FE7A4CA598D819E4E
                                                                                                                                                                                                                                      SHA-256:752E61C76BD61F05F6280D19A1AFB4F70BD7AF1D41173701F681DE5BDD195EC7
                                                                                                                                                                                                                                      SHA-512:80B1CB9290C064685417DCC238A01A5EBD5E9DF550C4336635F1E68432898DF079AD8AA4E184B9F07A74AB8993F86106EA907D3CED82EB4683E551A120748C29
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\55a393.rbs, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:...@IXOS.@.....@ol.Z.@.....@.....@.....@.....@.....@......&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}..AteraAgent..ateraAgentSetup64_1_8_7_2.msi.@.....@.....@.....@........&.{911E9E2F-B38D-4D02-A148-5E49FC9D8943}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......

                                                                                                                                                                                                                                      C:\Config.Msi\55a397.rbs

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):49141
                                                                                                                                                                                                                                      Entropy (8bit):5.876525928758599
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:TqoFVHvMRzGFKzt5uIRx5HKjKRrhSp6qf9nEtkP5CqTBDE8COm2rBzaDW3qgbomH:moFVHvMRzGFqt5uIRx5HKjKRrhSp6qf/
                                                                                                                                                                                                                                      MD5:EAE9F2858E4CC55FE5BB579135ED5720
                                                                                                                                                                                                                                      SHA1:4FD878736F41B368319261415B5EB67375F1F129
                                                                                                                                                                                                                                      SHA-256:FD293FDCF42495D2A6962AEF44732926250F5475C9D7D41D4C49016CC6CBFED3
                                                                                                                                                                                                                                      SHA-512:FFB0C40162B1350A95216B350FB09DE170072E3B537B72A917B10C6F66F27BB71672D4657CF7C49540031881CE815109B0DF4F946B35D3A73587DFC9866F62AE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:...@IXOS.@.....@vl.Z.@.....@.....@.....@.....@.....@......&.{9C80213E-9079-4561-8D57-1FDD0D62251F}%.Microsoft .NET Runtime - 8.0.11 (x64)!.dotnet-runtime-8.0.11-win-x64.msi.@.....@.Z,@.@.....@........&.{D9788553-CDFF-4792-87FA-89ADA20ADBA7}.....@.....@.....@.....@.......@.....@.....@.......@....%.Microsoft .NET Runtime - 8.0.11 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F81D99A3-0880-5654-AED5-B1AA39FA6285}&.{9C80213E-9079-4561-8D57-1FDD0D62251F}.@......&.{E6B3315F-85DE-56F4-AA3E-2A4820293382}&.{9C80213E-9079-4561-8D57-1FDD0D62251F}.@......&.{115BDECA-5A1C-5E3D-8EC7-4C45804415E5}&.{9C80213E-9079-4561-8D57-1FDD0D62251F}.@......&.{605499FF-1868-5A10-9952-9F413E0E17EA}&.{9C80213E-9079-4561-8D57-1FDD0D62251F}.@......&.{2869C3B1-74C6-50FA-8ED4-D408ADA4C59E}&.{9C80213E-9079-4561-8D57-1FDD0D62251F}.@......&.{EC639FA4-5778-5619-B7EC-C5FA45025FC1}&.{9C80213E-9079-4561-8D57-1FDD0D6225

                                                                                                                                                                                                                                      C:\Config.Msi\55a39b.rbs

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):9055
                                                                                                                                                                                                                                      Entropy (8bit):5.577309937978488
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:IO7cgkoKThpetZWO6ZEIdLWO6ZEQmdEE2gU/Veppaxk:Idew9wn/e
                                                                                                                                                                                                                                      MD5:1809F36B358BF2A5678B4395C069F6FD
                                                                                                                                                                                                                                      SHA1:9254920D9A868FBCFB673E604FB0A4779A21AE77
                                                                                                                                                                                                                                      SHA-256:BDF98D2A1A123F5C0865D3E89B2DB94D1ED5AD3A870D6D303EDCD61968D9931F
                                                                                                                                                                                                                                      SHA-512:9A9ADD98F5D12F7B53B564D6CB040C66D1DA4B443725FD90E95FCA789FFC59E37285EFA6C72CF7305A4AED323F5373B465D41DB404A33F6468D2289862BA9A2F
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:...@IXOS.@.....@{l.Z.@.....@.....@.....@.....@.....@......&.{F59C11F0-D73F-452B-8D1D-8C33B82D8507}..Microsoft .NET Host FX Resolver - 8.0.11 (x64)!.dotnet-hostfxr-8.0.11-win-x64.msi.@.....@.Z,@.@.....@........&.{EBC96263-55B4-4BCE-B9C8-B460A20F0BE4}.....@.....@.....@.....@.......@.....@.....@.......@......Microsoft .NET Host FX Resolver - 8.0.11 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{4FD6DFC4-5859-531B-9E4A-DE2781CCA754}&.{F59C11F0-D73F-452B-8D1D-8C33B82D8507}.@......&.{88F54D57-4C26-5E97-B6AB-FB77E26C265C}&.{F59C11F0-D73F-452B-8D1D-8C33B82D8507}.@......&.{8EC524B8-7864-5ACE-B320-2D36216EBC12}&.{F59C11F0-D73F-452B-8D1D-8C33B82D8507}.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..(.C:\Program Files\dotnet\host\fxr\8.0.11\....3.C:\Program Files\dotnet\host\fxr\8.0.11\hostfxr.dll....WriteRegistryValues..Writing system registry values..Key:

                                                                                                                                                                                                                                      C:\Config.Msi\55a39e.rbs

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):3868
                                                                                                                                                                                                                                      Entropy (8bit):5.0747878623065565
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:Fmxo9BHHWe4ptTlAoN7ps+cTlAoNs+dWpilkEosoxy:IO+eidEd3AHk
                                                                                                                                                                                                                                      MD5:0427E3C2B7D6F81B8ACA3F13F5A33913
                                                                                                                                                                                                                                      SHA1:0BFCCF0F8DBD3C2AD8C5132119193197A6B8D795
                                                                                                                                                                                                                                      SHA-256:2219B9D06F4AE9DD689604C25BFD2B3ADE48B1BF01ACDAE57095DF4B92C549C2
                                                                                                                                                                                                                                      SHA-512:F29539302AC577641FE82E5FD6793A1AD7B7D46A8A97D89444778440B1F133729B62DDD809707939054CBFBECF11E6012DED2FA1582A7CAB64F816FEA5C03E84
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:...@IXOS.@.....@{l.Z.@.....@.....@.....@.....@.....@......&.{F59C11F0-D73F-452B-8D1D-8C33B82D8507}..Microsoft .NET Host FX Resolver - 8.0.11 (x64)!.dotnet-hostfxr-8.0.11-win-x64.msi.@.....@.Z,@.@.....@........&.{EBC96263-55B4-4BCE-B9C8-B460A20F0BE4}.....@.....@.....@.....@.......@.....@.....@.......@......Microsoft .NET Host FX Resolver - 8.0.11 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....RegisterProduct..Registering product..[1]$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\0F11C95FF37DB254D8D1C8338BD25870\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... ... ................@....$..@....3.Software\Microsoft\Windows\CurrentVersion\Uninstall.............................................. ...!................... ...!.......?........... ... ................... ... .......?.......................................?...........

                                                                                                                                                                                                                                      C:\Config.Msi\55a3a1.rbs

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):10267
                                                                                                                                                                                                                                      Entropy (8bit):5.638327895996659
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:RvoazP8lwgseFqnZ4kEIf4kE8ZLQ1YEsLdAswXpYUt6ep/n7UTZclqP:RvoazP61qZ4kP4kTZLMMxXwXpYUttn74
                                                                                                                                                                                                                                      MD5:778156E4B3CDA4FE9528CC067D890B58
                                                                                                                                                                                                                                      SHA1:05D328CCDB5F34E3EDEAA8D0C13DFEFDE60A2C88
                                                                                                                                                                                                                                      SHA-256:D5FB5CE18A278EF57C78A98719228F8275FAA06231A3051791CF3C81E1610AA3
                                                                                                                                                                                                                                      SHA-512:1B1CB1E8132E40BCB052FD8F344F94E74B41DC3E13273CE35986F3E3E6AEF46147063058EE52B85BA64EDFFAB4969635124F0CE7611BC09059D5ACD5C0217CE9
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:...@IXOS.@.....@|l.Z.@.....@.....@.....@.....@.....@......&.{362B4D0D-8438-44DA-86B2-FEC44E000FCA}".Microsoft .NET Host - 8.0.11 (x64)..dotnet-host-8.0.11-win-x64.msi.@.....@.Z,@.@.....@........&.{821DC2A6-AEB1-4796-80C6-7F7EC027B94F}.....@.....@.....@.....@.......@.....@.....@.......@....".Microsoft .NET Host - 8.0.11 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{7ECCA0D4-8C88-50DD-A538-CDC29B9350D1}&.{362B4D0D-8438-44DA-86B2-FEC44E000FCA}.@......&.{45399BBB-DDA5-4386-A2E9-618FB3C54A18}&.{362B4D0D-8438-44DA-86B2-FEC44E000FCA}.@......&.{EA9C3F98-F9B1-5212-8980-CFEAF2B15E0D}&.{362B4D0D-8438-44DA-86B2-FEC44E000FCA}.@......&.{E4E008C8-57A8-5040-BB34-03024B15B6C5}&.{362B4D0D-8438-44DA-86B2-FEC44E000FCA}.@......&.{CE35924C-AD31-51DF-B84A-A8052ED08400}&.{362B4D0D-8438-44DA-86B2-FEC44E000FCA}.@......&.{A61CBE5B-1282-4F29-90AD-63597AA2372E}&.{362B4D0D-8438-44DA-86B2-FEC44E000FCA}.@....

                                                                                                                                                                                                                                      C:\Config.Msi\55a3a4.rbs

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):3793
                                                                                                                                                                                                                                      Entropy (8bit):5.04650633851812
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:0mKz/5We4WOtTlT7WO4icTlT4idWWiiWy4P0Sy:R1eVegTLXMd8P
                                                                                                                                                                                                                                      MD5:4EC27F20BB678D9BCE78C9A11DAC7472
                                                                                                                                                                                                                                      SHA1:4575CBB2A49FCF2B104EB04049D4E3F8C7308A9E
                                                                                                                                                                                                                                      SHA-256:5F8584DA1FA0FE0A54B501B1FEE281DA19B328C34885FA69B7BBC5622005D178
                                                                                                                                                                                                                                      SHA-512:C01BEF8A6556E80C665A9D57E188187531A779E0B7C136B5D8D56DA0521A02AC7A85CD5292078461EBA08CBB3F5399A91E7D94B7FC109C637D95659C34A6D188
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:...@IXOS.@.....@|l.Z.@.....@.....@.....@.....@.....@......&.{362B4D0D-8438-44DA-86B2-FEC44E000FCA}".Microsoft .NET Host - 8.0.11 (x64)..dotnet-host-8.0.11-win-x64.msi.@.....@.Z,@.@.....@........&.{821DC2A6-AEB1-4796-80C6-7F7EC027B94F}.....@.....@.....@.....@.......@.....@.....@.......@....".Microsoft .NET Host - 8.0.11 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....RegisterProduct..Registering product..[1]$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\D0D4B2638348AD44682BEF4CE400F0AC\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... ... ................@....$..@....3.Software\Microsoft\Windows\CurrentVersion\Uninstall.............................................. ...!................... ...!.......?........... ... ................... ... .......?.......................................?......................................

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):753
                                                                                                                                                                                                                                      Entropy (8bit):4.853078320826549
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                                                                                                                                                      MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                                                                                                                                                      SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                                                                                                                                                      SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                                                                                                                                                      SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):7466
                                                                                                                                                                                                                                      Entropy (8bit):5.1606801095705865
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                                                                                                                                                      MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                                                                                                                                                      SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                                                                                                                                                      SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                                                                                                                                                      SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):145968
                                                                                                                                                                                                                                      Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                      MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                      SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                      SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                      SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 26%
                                                                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 28%, Browse
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1442
                                                                                                                                                                                                                                      Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                      MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                      SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                      SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                      SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):3318832
                                                                                                                                                                                                                                      Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                      MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                      SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                      SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                      SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):215088
                                                                                                                                                                                                                                      Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                      MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                      SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                      SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                      SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):710192
                                                                                                                                                                                                                                      Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                      MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                      SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                      SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                      SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability.zip

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1346409
                                                                                                                                                                                                                                      Entropy (8bit):7.999112358714754
                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                      SSDEEP:24576:pBIpj/UxSFjQRUWNqDqb9JFOThCrI0rQIhPFhvWupUxNjcaPkH:pWpwwFsiWNqs9CThCrIEQUFhv+NjzE
                                                                                                                                                                                                                                      MD5:B6DCC5B35594B03E37653026C02A869A
                                                                                                                                                                                                                                      SHA1:84B2D4A35FDE41CE12DFC15760B44F2EDC0BD87B
                                                                                                                                                                                                                                      SHA-256:986582F17A980254DB23F364423EC30DEDC09071947789CCAD13A35570F4DCF6
                                                                                                                                                                                                                                      SHA-512:10D8A20F85572643D4DC4B33E4593E04057405F7FC97E21D8DC10F224C46E80FF1A7F4F15C3E22DF7EBC2F634F4C769DA8EB5858F1FCB46457209E93DBF72F97
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:PK.........9fY................Agent.Package.Availability/PK.........9fY.>?.........?...Agent.Package.Availability/Agent.Package.Availability.deps.json..^U8M......T|g.\A$\l.....I]k.$.#28..y.,j..J.9..;F.7>i.q.}....[Eu..+G.a9..G...._..{...E...6...._V... .~.6.................q.....$M.....$..`o...5.vv. .. "....=.^...c. iH..6*.m/k].?B.*P2..76".~<gF.6.....Q4...dx.E...gI...=./*.z..=.hQ.@A.\.M...hj....?..D.I^=...w..F..(..~..s.Jz...Y.u;..mso..R......'o....j..G...}.A......t.......1$.........!....p..+.9.$.1..t.s.b:Dr..x~cm>d...j.a...]....-.y......p..2c.....r..,.{....F.N.-rF...kU."....U_p..-.^H....d2.J..k.f...p._.d.!....Ye.k.j%.\.*...+....2N.v.....`.X..u.R.N"...F.W...d....T...:........P:....@U.`3.....I.u':9,.>mI..........D\.4w..e..E....v7.i..p..4.u..7....@:G.........5..!.. .-...]..^.;..w2.i./+.<r..Q..$S.....J....H.t..&,0...L/..R.........'NW`to..?j......8.....N...V..e..<*..4S..2.S.|.U.2x.N.%.....uSt..[V.....[O..P..<..b_.kk.I..f.............f2K...^l.O...$.g.z..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.deps.json

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:JSON data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32679
                                                                                                                                                                                                                                      Entropy (8bit):4.993467033531541
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:YMiXbLuNFLgxnzeynrL390PbFM1Orsc+enjBy6qY2871Yu9IM8yzI:YHX+CRN0PbG1Orsc7XqYR71YyIM8II
                                                                                                                                                                                                                                      MD5:38486C0ACFBA470AAC49D49A89B5DF27
                                                                                                                                                                                                                                      SHA1:6BD5DE6CB5B60475612E768DB50BBC45936B5AFD
                                                                                                                                                                                                                                      SHA-256:57825C85B5FD5FFBD35133FD24139BC623C10B50CBF9103E11B4E86E78225E54
                                                                                                                                                                                                                                      SHA-512:BC7426C19CF9E74379785678A528A38E0D4005338B7F0A5039C2C3A46C8874FD04A5FE94D8BEE07CAEFE8AAA2A88E5E59179B7080CCB012F8F2FD4211C69A2D0
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:{.. "runtimeTarget": {.. "name": ".NETCoreApp,Version=v6.0",.. "signature": "".. },.. "compilationOptions": {},.. "targets": {.. ".NETCoreApp,Version=v6.0": {.. "Agent.Package.Availability/0.16": {.. "dependencies": {.. "Atera.Agent.Package.Infrastructure": "1.0.0",.. "MQTTnet": "4.1.2.350",.. "MQTTnet.Extensions.ManagedClient": "4.1.2.350".. },.. "runtime": {.. "Agent.Package.Availability.dll": {}.. }.. },.. "Microsoft.Extensions.Configuration/6.0.0": {.. "dependencies": {.. "Microsoft.Extensions.Configuration.Abstractions": "6.0.0",.. "Microsoft.Extensions.Primitives": "6.0.0".. },.. "runtime": {.. "lib/netstandard2.0/Microsoft.Extensions.Configuration.dll": {.. "assemblyVersion": "6.0.0.0",.. "fileVersion": "6.0.21.52210".. }.. }.. },.. "Microsoft.Extensions.Configuration.Abstractions/6.0.0": {..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):64080
                                                                                                                                                                                                                                      Entropy (8bit):6.3186377650567
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:tpU+qNEN8hGUdlhkjqMCgoGIxBNPlaWxk4TKZ08gDT7iC6gW3GIXtHEje4TEpYiF:zU+CkuMChNPlakNcgD8ge1+Js76NA
                                                                                                                                                                                                                                      MD5:8569FD90EA1BF5ECCCA2425B9BC7143A
                                                                                                                                                                                                                                      SHA1:E5AC06B45E15D1E638526AE181FB0594E54C0BD3
                                                                                                                                                                                                                                      SHA-256:000C035B77D9E882FC21D5C3E1BA84D8FB7BFE39BCCD9349657719D8CBF80AED
                                                                                                                                                                                                                                      SHA-512:81451E5F80A02D913BA20F0F6B882FAA48CED88EBAC6922397031C2227C20B37E82FF4A9108C52D57A9C1F70C486E06E85CCAD1BEB780D180F1F651697804C9E
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....z..........."...0.................. ........@.. .......................@............`.....................................O.......................P(... ......d................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......8^...z..........L.................................................(....*^.(.......J...%...}....*:.(......}....*:.(......}....*...0..7.........(....}A......}B......}@.....|A.....(...+..|A...(....*..(....*..0...........(....o.......(....*..(......}......o....r...p(....}....*....0..7.........(....}W......}X......}V.....|W.....(...+..|W...(....*..0..?.........(....}\......}]......}^......}[.....|\.....(...+..|\...( ...*..0..7.........(!...}b......}c......}a.....|b.....(..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):161872
                                                                                                                                                                                                                                      Entropy (8bit):6.231624623837034
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:T5vnr5Tbx829UOeKnn2LFzZBp13u36wKp4CULCbodli:TBKjK2LFzZNfJULyZ
                                                                                                                                                                                                                                      MD5:1922740D2479C7D0CD6FB57C3D739543
                                                                                                                                                                                                                                      SHA1:877A807A396156BE1D0C2782391CABC29EA15760
                                                                                                                                                                                                                                      SHA-256:20443F66E184311FD412158CB162E36B0172332CD6D401CEC9EE5FE17DF75E58
                                                                                                                                                                                                                                      SHA-512:D624BAD0FCD8AFC190A5DE241DA341A3F39D6AAA0E5EACDF8B14E8E74515B688F06E2CDC75DA0634880EA98238A1D26CD2D2BFAEDB6D92067DACE99D0963975C
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^.J.^.J.^.J.+.K.^.J.+.K.^.J.+.K.^.J.&GJ.^.J^,.K.^.J.^.J@^.JG+.K.^.JG+.K.^.JRich.^.J........................PE..d......f..........".................P@.........@....................................N.....`.................................................|(...............`..L....P..P(.......... ...T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data...X....@......."..............@....pdata..L....`.......,..............@..@_RDATA...............B..............@..@.reloc...............D..............@..B.rsrc................H..............@..@........................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.ini

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):14
                                                                                                                                                                                                                                      Entropy (8bit):3.8073549220576055
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:WhVLD:WDLD
                                                                                                                                                                                                                                      MD5:9A7D20AAA012D185DB528C72378B0ACB
                                                                                                                                                                                                                                      SHA1:CD17C5DDB04E5CBAEBA56BB883B2BD0BF8C529DE
                                                                                                                                                                                                                                      SHA-256:CBA7D06C662A6601164CBC5A0F4086E247DC1ACA7CCF2F72F4443C88DDB29095
                                                                                                                                                                                                                                      SHA-512:961707F9926401EED9FDF892484527D253514F336B2AEF0A450184EE125DB940823E933739ABED422BC97B37E4094EFB3C9C355154F86984EB36508ED28BEE90
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:version=0.16..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.runtimeconfig.json

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:JSON data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):253
                                                                                                                                                                                                                                      Entropy (8bit):4.585549446641918
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6:3Hp/hdNyhAkI/XCkyFNOJeZS1sHZeQ6NOCUo+K8EkNTy:dFkp5MeU1s5hex+K8Es2
                                                                                                                                                                                                                                      MD5:24E4653829DE1022D01CD7DDD26E2F22
                                                                                                                                                                                                                                      SHA1:9160A009CB381E044BA4C63E4435DA6BFEB9DC6D
                                                                                                                                                                                                                                      SHA-256:DED3AEB5856A11DB0B654A785574490CAB55839EBFB17EFE9E39B89618FC5B91
                                                                                                                                                                                                                                      SHA-512:EFD4BBBA1BAEC0B47003831510E3AA539DB9EF468E0F06BA9D7BA6D0B3800035F7C818D7D90171BFD377EC97D08C4617555BCFF635DD83EFCEB412B1A9CCA820
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:{.. "runtimeOptions": {.. "tfm": "net6.0",.. "framework": {.. "name": "Microsoft.NETCore.App",.. "version": "6.0.0".. },.. "configProperties": {.. "System.Reflection.Metadata.MetadataUpdater.IsSupported": false.. }.. }..}

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):59472
                                                                                                                                                                                                                                      Entropy (8bit):6.23062387412576
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:p36VpFishtGAb2BAst2t1z2C0qePts2+lpmjouk3KKlGT1S3k7Z2GEpYi60X2M:OFan4tkC0qH2ip2ouXi21oG2n76c
                                                                                                                                                                                                                                      MD5:1E5A96F64AB2BD11D6D6ABE917B6DEF0
                                                                                                                                                                                                                                      SHA1:B5E3B831BD0FD638B83553352F31088D67846F03
                                                                                                                                                                                                                                      SHA-256:49747FAB0830BEA9BED2ADCE543E61F75FF748340B78CF08CA598F9577B9C62E
                                                                                                                                                                                                                                      SHA-512:7673DBBA81AD88CC13AF1C195154D1D5764A343AAE59B67D5C97355FEF40E67CF4E517878A600E42759167B8B357D0FDCBAED4CAA99AD522D60E8CF00CB86CE5
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll, Author: Joe Security
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%oA..........." ..0.............Z.... ........... ....................... ............`.....................................O.......t...............P(........................................................... ............... ..H............text...`.... ...................... ..`.rsrc...t...........................@..@.reloc..............................@..B................<.......H.......4P................................................................{....*..{....*..{....*r.(......}......}......}....*....0..Y........u........L.,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o....*.*.*....0..K....... M.. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o....X*..0...........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...*..{"...*:.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.Extensions.ManagedClient.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):54352
                                                                                                                                                                                                                                      Entropy (8bit):6.2479944729426595
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:wjPkdaG23BdHAnoekKhbdzn9kpWcwfRLzfoZrx6nnPMfm8XoJE5GtSdxEpYi60a:ePGShI7mW1ZoZrcn0e0oJ4Gtu676f
                                                                                                                                                                                                                                      MD5:EA230454940D473CF51913ACA3B16652
                                                                                                                                                                                                                                      SHA1:278C6D8FF7EA387B6B4FDC4063E891CD73B537CB
                                                                                                                                                                                                                                      SHA-256:ACBBA44A069132A6B42EDF97F9301638AC048BB40BFF03ED14A40ADF95B1FC71
                                                                                                                                                                                                                                      SHA-512:7E8617D67CDC23B5877438FBC1A17B552CC7F6D60237ECCAF557E385F0B450860D7678750D8B17B501936C33F9B41C03286D86EB35C19A4B61FDDCCFA3AE4F44
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\............" ..0.............V.... ........... ....................... ............`.....................................O.......x...............P(..............T............................................ ............... ..H............text...\.... ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B................6.......H........Z...c............................................................(....*^.(.......V...%...}....*:.(......}....*:.(......}....*..(......%-.&r...ps....z}......}....*..{....*..{....*v.(......%-.&r...ps....z}....*..{....*V.(......}......}....*..{....*..{....*..{....*"..}....*..{....*"..}....*J.(....}.....(....*&..}.....*&..}.....*.0..)........-.r'..ps....zs.......o......o....}.....*..{....-.r7..ps....zs/...%.{....o,...%.{....o....*J.(....}.....(....*...0...........s....}.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):311888
                                                                                                                                                                                                                                      Entropy (8bit):6.172921538830622
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:7F0eAyIQXbKwPMF83GUN/7a3zyROhmogpE2/M3jA:78QLKwPMKGUuBhh33jA
                                                                                                                                                                                                                                      MD5:157CC7C91E4BD0762F22115A83FD1304
                                                                                                                                                                                                                                      SHA1:15346E10DC67CDB18D1BA2907B9EA0C8639DC620
                                                                                                                                                                                                                                      SHA-256:BC1009ABB39FF7FD048EFFB52E586B2D1C14B9499A195DE4AA750C3613F2DE49
                                                                                                                                                                                                                                      SHA-512:D196C7E35FE131703FE2214A341CAF1B24162C53D168E552BB1EB292ACA91A7B60C682D3E18179483BAE5B30901A43F4640F04604604FF3EB1C7E25D84E302CE
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ...............................B....`....................................O.......................P(..............T............................................ ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.........................................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..0...........{....-..{....(....,.r...ps....zs....%.{....o....%.{....o....%.{....o....%.{....o....%.{....o....%.{....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Abstractions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):26192
                                                                                                                                                                                                                                      Entropy (8bit):6.566795920462708
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:Ym++Js0qJ63NU17qtlR9iaTG/0wEzRjz6sMHJhOnAWM/aWsrNWsNyb8E9VF6IYic:3lso3W7qHypd//S7EpYi60sAw
                                                                                                                                                                                                                                      MD5:0F40262268DB5E64DC7860A799B14784
                                                                                                                                                                                                                                      SHA1:ABFB078EC0A37045F909E58DF75994103E7576B6
                                                                                                                                                                                                                                      SHA-256:BAF1C2217E59C905521F286C506291B1EF07FBAE426B804927AFF448B57C58C2
                                                                                                                                                                                                                                      SHA-512:0D45A8F062813F84BE24976C642C953A9367DCC7543136A40A92BEF8216647BCAA7B8C58E84825C264F10D37C0319F92122DAC4FF498441B35EB09CD4980E816
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..2...........Q... ...`....... ..............................6.....`................................./Q..O....`...............>..P(...........P..T............................................ ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............<..............@..B................cQ......H.......X'...#.......... K..p....O.......................................~....*..0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...%...("...*...((...*.(....,.r...p......%...%...%...("...*....()...*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):34896
                                                                                                                                                                                                                                      Entropy (8bit):6.489176330590773
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:DRnQyuN61yKW1Guh2dIewN3czA8i1Krao8EpYi60RD:DdgA1yKW1L0dkNc081+oV76E
                                                                                                                                                                                                                                      MD5:34B8504411DAF6B69B362203E11DB477
                                                                                                                                                                                                                                      SHA1:34A1FC5F1A073725E358AE2BE24D67C3A9013EED
                                                                                                                                                                                                                                      SHA-256:E60445F54E33A72F2D8793A25C0F1E25DFA2D3B8189C5BC3EE477502BA920140
                                                                                                                                                                                                                                      SHA-512:4D88EEEBC8E7A380D85DC8F55F4E58E14CB635FA801AC04FE246AAC1EA1F79ED663C5947ABEE2074DAEDBC85C97311159D3DFBB1FCECEB048177FADADC453374
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....E..........." ..0..V...........u... ........... ..............................oJ....`..................................u..O....................`..P(...........t..T............................................ ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............^..............@..B.................u......H.......p/...9..........Hi.......t........................................(....*^.(.......5...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...( ...*.(...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.CommandLine.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):24144
                                                                                                                                                                                                                                      Entropy (8bit):6.679156647753176
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:I99FrztnCvZrlMIPTlLn9by3WKbW97nWaNyb8E9VF6IYijSJIVxut8X7d/oE:Abztn2AmxniKfEpYi60ZeE
                                                                                                                                                                                                                                      MD5:63030F7861AFE3D57EEA5278B14671B6
                                                                                                                                                                                                                                      SHA1:130B90DA81BCD69549D7272DCC04ADDAB1DC18D2
                                                                                                                                                                                                                                      SHA-256:77A8B815ABF8316E41D5A20DACE2B1EBC7A21D55B0D812B0B29E564C1A79BD1D
                                                                                                                                                                                                                                      SHA-512:82730F5B15201E669706EFF1DC617FCDC69ADAAF916F6127291999382DF631769387CCF06B70B52AC2BAA8A08A25CC81CA00B7CB2D6F4908D3A84F9E464B8E74
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K.$..........." ..0..,...........K... ...`....... ..............................Y2....`.................................uK..O....`...............6..P(..........XJ..T............................................ ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B.................K......H........%...............B.......I........................................(....*^.(.......(...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):19536
                                                                                                                                                                                                                                      Entropy (8bit):6.730237218870487
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:ssGu6f0Ux3STFWUQeWiNyb8E9VF6IYijSJIVx/HyZr:ssGuWRTiEpYi606J
                                                                                                                                                                                                                                      MD5:D5B282AA4788540C2FB0FBC9902649E1
                                                                                                                                                                                                                                      SHA1:2439B443C6568BAACB95C2E67968F5FEABE92E18
                                                                                                                                                                                                                                      SHA-256:3F11122AE5F99C29275057D92E4611D4F0611ED7FF7CC2DDC7FF50714462A241
                                                                                                                                                                                                                                      SHA-512:3510BFE7F4DB4B63AC0026ACFF88672AEA82B96AB57D966E718F9FB095915C647B255B8BD02F5CA4D79FA19BA342153692F0760A3FC142CC1C233E4DC03C30DD
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3Y..........." ..0.............~8... ...@....... ....................................`.................................+8..O....@...............$..P(...`.......6..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................_8......H........"......................|6......................................:.s....o....&.*V.s....%.o....o....&.*"..(...+*J.(.....~....}....*^.(......%-.&~....}....*2.(....(....*..(....o....r...p.{....r...p(....*.0../.......(....s......o.....8.....o.......(....t ........r...p.o ...,.r...p..r7..p..+n.re..p.o ...,.re..p..r...p..+P.r...p.o ...,.r...p..r...p..+2.r...p.o ...,.r...p..+....(......(!...t ...(....+N...o"...o#...(.......r...p.($.....(!...t ...(......,...r...p.r...p(%.....(

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.FileExtensions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):27216
                                                                                                                                                                                                                                      Entropy (8bit):6.552210662146974
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:EY5JfZB7plLDwLx0umTZXA/XABRfhzWqr6WBNyb8E9VF6IYijSJIVxeB8eu74u5O:lrd8Y0wRhz5EpYi60eXIE
                                                                                                                                                                                                                                      MD5:420ED08E70F259AEE9353E4C9B51D392
                                                                                                                                                                                                                                      SHA1:BEFE42898F0FE7713325A2F923524C19DA2E646E
                                                                                                                                                                                                                                      SHA-256:1C0DCEA5EA2D00EB689E8498727027E13BFCE4224EC92040AB55ACBB663A46FE
                                                                                                                                                                                                                                      SHA-512:9874FC1D5A162BC92F2006793CF5431A82AC21D8F27458004C2E99A9D1E504B50C6431A27DC26A84489BDA5D1C8ED9A1BA53EC7F10B3440C201BF36F8CDD7203
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<d..........." ..0..8...........V... ...`....... ..............................vk....`.................................?V..O....`...............B..P(...........U..T............................................ ............... ..H............text....6... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B................sV......H.......P(...&..........lN..0....T........................................(....*^.(.......,...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):26704
                                                                                                                                                                                                                                      Entropy (8bit):6.558340768117845
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:AI2/cK/FWwbGXC8e1lje1l6RWkb2WmNyb8E9VF6IYijSJIVxEtI:AI2/cqFWwSl6hXGEpYi60t
                                                                                                                                                                                                                                      MD5:85A89861DE331E9F0BEAC235187512BE
                                                                                                                                                                                                                                      SHA1:00973F441FE6278AEE21DAED8811D05383356F50
                                                                                                                                                                                                                                      SHA-256:418F2A8936A03E968ABB72DB0FBF4005F0B60D1BADAF1F121DC45855F71EBF4C
                                                                                                                                                                                                                                      SHA-512:9844272DC89D8A9A5851ED17551822D7DEC6430C180EBD98BB7A73463E44869C168FF0CD110596272589AE73C968AE4B1489734EFB449E34EE306E285B894CC3
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....^............" ..0..6...........T... ...`....... ....................................`................................./T..O....`..l............@..P(.......... S..T............................................ ............... ..H............text....4... ...6.................. ..`.rsrc...l....`.......8..............@..@.reloc...............>..............@..B................cT......H.......|'..t#...........J.......R........................................(....*^.(.......6...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..( ...*.*.(....,.r...p......%...%...(....*...(!...*.(...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.UserSecrets.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):25680
                                                                                                                                                                                                                                      Entropy (8bit):6.505889105423614
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:nw6kebL1iFn6d6E1oE1LdAAW9ACWDNyb8E9VF6IYijSJIVxvcTERE:xZbcWusrEpYi60m
                                                                                                                                                                                                                                      MD5:6D9218D0B9D5E103BA0FE7E9DB975F7F
                                                                                                                                                                                                                                      SHA1:2F661F39C09925555375942A5D80A015F556E8B0
                                                                                                                                                                                                                                      SHA-256:7F6BED28E99D475E90160AC74CE81AED6CBCE8F67F475E73AE66DF13E92B4AE2
                                                                                                                                                                                                                                      SHA-512:774381BCF9B344AF16AF8F3A374F1A5C8B381B0C3FE8806BF6AEB0B4773F42FBDC0A869C03A5B213B440F6C0AE8CC948EB17FC31E6B991FA15EEB3B6FBE71D80
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Z..........." ..0..2..........6P... ...`....... ....................................`..................................O..O....`...............<..P(...........N..T............................................ ............... ..H............text...<0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................P......H.......x%..d............C..h...DN........................................(....*^.(.......!...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):37456
                                                                                                                                                                                                                                      Entropy (8bit):6.448738986499155
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:4i4PV4eWxaVsQLqyCekI/q/xGljnEpYi60kmub:4aVxa2QXUxajA763db
                                                                                                                                                                                                                                      MD5:57D7440298C07A43F1FEFE0BAC5FCC43
                                                                                                                                                                                                                                      SHA1:82A9581F06E3FCBFED42A39E85EA83CCEE8FD48E
                                                                                                                                                                                                                                      SHA-256:690F1D74CF5A652D988233991B0D1702B84E7EBAEEFF56A071877CF0C31D060B
                                                                                                                                                                                                                                      SHA-512:76F990B7A6ACAD8F592FEA9E0B802B4B227A15EDE072BA87B57154F339873C61C576BFA4F9FEF1307A8BED5269C32F28EFABA9C039EE895F79B2B26D91F25D93
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..`............... ........... ...............................X....`..................................~..O....................j..P(...........}..T............................................ ............... ..H............text... _... ...`.................. ..`.rsrc................b..............@..@.reloc...............h..............@..B.................~......H.......@6..p@...........v......@}........................................(....*^.(.......8...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...%...("...*...((...*.(...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.Abstractions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):44624
                                                                                                                                                                                                                                      Entropy (8bit):6.259394998120094
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:/8+cxuPn//hpz2XCkCkCdvAb4b4qox06OoV0F8l0HCTpw0wo0emWEpYi60s+:k+cxuPn/bvvE0Q0HCNfBsX76P+
                                                                                                                                                                                                                                      MD5:B90E964326DE0C8B88FEC1B41E37BE3A
                                                                                                                                                                                                                                      SHA1:5FA376EFF79CB42669A7D8336494C06A3CCE157D
                                                                                                                                                                                                                                      SHA-256:42D911959EEAA89203052A878A7F68E847E487E967F418C9C6904E956BE22FCF
                                                                                                                                                                                                                                      SHA-512:D3F9A84E3BB06E1C72EE9691988DDE62A105FD07EAB17B22A59A69F8F7A7DA54734BF8633D9DD92E24F094F908B4BE61154627F391338F9F60FE1D15094C4651
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9t............" ..0..z............... ........... ...............................2....`.....................................O.......................P(..............T............................................ ............... ..H............text....z... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B.......................H........>...M..............H.............................................(....*^.(.......B...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......( ...-..,..*.*.(....,.r...p......%...%...(!...*..("...*.(....,.r...p......%...%...%...(!...*...(#...*.(....,!r...p......%...%...%...%...(!...*....($...*..,&(....,..r...pr...p.(!...(%...*..(&...*.*.(....,.r...p......%...%...(!...*...('...*.(...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):82512
                                                                                                                                                                                                                                      Entropy (8bit):6.2802579422578315
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:/NLmvi666OjIX0h9zMPvHBWCaRweUG4DynjEZnBU76g:J66fjLb8vH0CiUG4DyneBUr
                                                                                                                                                                                                                                      MD5:EEDAB98D5F5A53C61ECFF3DCA033B5B1
                                                                                                                                                                                                                                      SHA1:AA04C41DA7B0B85F9E1FAF797E2FA48C9D7F9F9C
                                                                                                                                                                                                                                      SHA-256:5F0E0CBEAE8F88516A9CF9991AC7B2A86B6135214B5F0DABF9312919AB33AFF7
                                                                                                                                                                                                                                      SHA-512:12BA31C5A55EBFC392B2C5916DAB4A5C25DCB2EDBCF3B9CCCAF7F9841FE31EB45A45B927F69ED90C5DA9C13C32F61500136004245563D0DA2C5D1C44377F1AD5
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5............" ..0.............N.... ...@....... ...............................8....`..................................-..O....@..................P(...`.......,..T............................................ ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................-.......H.......pj.............@...0...p,........................................(#...*^.(#......p...%...}....*:.(#.....}....*:.(#.....}....*:.(#.....}....*.~....*.0..........(....,..*..(.....o$......&...*...................0...........(.......(%...-..,..*.*.(....,.r...p......%...%...(&...*..('...*.(....,.r...p......%...%...%...(&...*...((...*.(....,!r...p......%...%...%...%...(&...*....()...*..,&(....,..r...pr...p.(&...(*...*..(+...*.*.(....,.r...p......%...%...(&...*...(,...*.(...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Abstractions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):22096
                                                                                                                                                                                                                                      Entropy (8bit):6.571092050997703
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:TlfkJv/RYTWl6+MTxMufuMc8CWsbhWNNyb8E9VF6IYijSJIVxU3iFZb:TlcJnRYTwIjJ66EpYi60tZb
                                                                                                                                                                                                                                      MD5:EAAA8C11C7D2A7AB2593E00D669FFCDF
                                                                                                                                                                                                                                      SHA1:672037C7C38474C9F53815FC3C9E2925E9404DBE
                                                                                                                                                                                                                                      SHA-256:CF9DC1C970C7E6BD70A139E4BBC591FA1A97A3DF382C86E806A9F1B3271AF551
                                                                                                                                                                                                                                      SHA-512:2920F77C47E2A3FAB5760DCADBDF3ED68D09B81ED46CB16469CEC367B4EAF6842B0F9918B99E7BE09788C8D817FAD9B3A52402DEA20383D6832D69CFF5209C87
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.."..........r@... ...`....... ..............................wv....`..................................@..O....`..................P(...........?..T............................................ ............... ..H............text...x ... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............,..............@..B................S@......H.......T#..............H:..@....>.......................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Physical.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):43600
                                                                                                                                                                                                                                      Entropy (8bit):6.434975332952962
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:qHxWCQ4MPJG3cOeeapdUgsWflN+Qu5sEpYi60b:qHxW58re3pdUqN5u5l76+
                                                                                                                                                                                                                                      MD5:D2419C8E9CEE2128F892BAE0334A37E5
                                                                                                                                                                                                                                      SHA1:86EF28CFDA0821E7B426B7451ED348E1C077095D
                                                                                                                                                                                                                                      SHA-256:F3BE4F0128FCCEB85499F5AD3463929AE8E93C0A075A569E1B25BFE88F63A234
                                                                                                                                                                                                                                      SHA-512:018BB02E7E783CA1B0B2341319494285CA9B0699261A89E0CF15D7165D1757EED559A2BCD7E25E6C7204097312F70A840CA3051C4459732BC3616BB8C771B9A1
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....8..........." ..0..x............... ........... ..............................v.....`.................................g...O.......p...............P(..........X...T............................................ ............... ..H............text....v... ...x.................. ..`.rsrc...p............z..............@..@.reloc..............................@..B........................H........:...P...........................................................(....*^.(.......O...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..( ...*.(....,.r...p......%...%...%...(....*...(!...*.(....,!r...p......%...%...%...%...(....*....("...*..,&(....,..r...pr...p.(....(#...*..($...*.*.(....,.r...p......%...%...(....*...(%...*.(...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileSystemGlobbing.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):45136
                                                                                                                                                                                                                                      Entropy (8bit):6.354947891419325
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:qlwMU3jMMSPNueKQWjRUILOK2Ksf/qSCgHgUsJ5EpYi605:quMUJqLWjRHFtsHqSCgHgUsJC768
                                                                                                                                                                                                                                      MD5:9A677FB8A444488A7887BE910598539E
                                                                                                                                                                                                                                      SHA1:F9470CA9A9BC0C971425668106F0811B3615071E
                                                                                                                                                                                                                                      SHA-256:827DBA0A8A6592252544374CF0891EB71BDBB419646DF8FAE38327F7FC6452E0
                                                                                                                                                                                                                                      SHA-512:B82690A85ED969F553EEE3E973D9EFB53FB7B96104BF59626B11D389D4BCA62D01118A2F9DD1690EE248CD2C048AC99F128188694CDC878CBB5B324CCDE8C41B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.:..........." ..0..~............... ........... ...................................`.....................................O.......H...............P(..............T............................................ ............... ..H............text....|... ...~.................. ..`.rsrc...H...........................@..@.reloc..............................@..B.......................H........C...O..........H.......8.........................................(....*^.(.......9...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...%...("...*...((...*.(...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.Abstractions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):28752
                                                                                                                                                                                                                                      Entropy (8bit):6.563026480365638
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:nfGp7YacaEaVNbG12flBF76euwMw0tXXVfFQkzsG9kni7QXRdQWibdW/Nyb8E9Vg:VwVNz9BF76ejMbmHXRQEEpYi608
                                                                                                                                                                                                                                      MD5:0B53E20335B2F60BEA3A24F521C3722D
                                                                                                                                                                                                                                      SHA1:8BDC869C12CDC878C6FB48AB6E23C3621B45C5AE
                                                                                                                                                                                                                                      SHA-256:4C67D8989C89C4553ADAD3854DD78392B046A1ABCDC6A27163144FAB16BEAF0B
                                                                                                                                                                                                                                      SHA-512:5E093C26B492D961A4D6C32A5933BBB6F697C1826A08FA26DA8BB1F7E5C1625E5E84EA51BCAC13E5AFEBCD928AD8E7DFD0BF6D35C2B8846F41B2298CEF8E29CB
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....+............" ..0..>...........]... ...`....... ...............................>....`..................................]..O....`..8............H..P(...........\..T............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...8....`.......@..............@..@.reloc...............F..............@..B.................]......H.......p,.../...................\......................................:.(......}....*..{....*6.(...+(.....*:..(...+(.....*..{....*.0..J.......... ...%... ...(....}.......{....o....o....}.....{....o....,..{....*( ...*...0..?.........(!...}"......}#......}$......}!.....|".....(...+..|"...(#...*F.{....%-.&*($...*..(%...*~r...p.....r...p.....r)..p.....*~r...p.....r...p.....r)..p.....*v.(%.....%-.&r?..ps&...z}....*..{....*"..}....*..{....*"..}....*..{....*~rU..p.....ru..p.....r.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):56400
                                                                                                                                                                                                                                      Entropy (8bit):6.30415225033415
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:sBu8CE7AFg+0ITvhADGmnnbaTfP63+R3u9q09ePEpYi608LAed:scfWA2+DjaD/nnba+3uwq09eo76vNd
                                                                                                                                                                                                                                      MD5:942F74ACE0A1AD5D7FB33396775886CF
                                                                                                                                                                                                                                      SHA1:44176E149A2E636B07C5337DC2436058D3482941
                                                                                                                                                                                                                                      SHA-256:332C188781DB51141C21FDA8856A7B5B72869F2BCDA9F15E16A443A9D7AAAA89
                                                                                                                                                                                                                                      SHA-512:26C3D2E31242CC805F425226D2EC28CA2C2C89079F3C3A7BD9C91A42CB62CAF9CBB3D2605E49F2AA6B0271B9FA9C823E004383454760EE8E78D601108BFCABFA
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ....................... ............`.................................=...O.......................P(..........L...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................q.......H........G..Tu..........................................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...( ...*.(....,!r...p......%...%...%...%...(....*....(!...*..,&(....,..r...pr...p.(....("...*..(#...*.*.(....,.r...p......%...%...(....*...($...*.(....,.r...p......%...%...%...(....*....(%...*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Abstractions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):63056
                                                                                                                                                                                                                                      Entropy (8bit):6.2857708531976195
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:S+UfRQY8PGNWovMLJYBjtLgnuAAAAAknwd45FnrfMq1/yJuoiYblHJg6GOmDuZEr:S+tY8PIiq51wcFnDMsno7jRmai76+
                                                                                                                                                                                                                                      MD5:8E7BC8F33E83F98BC5112D8DF48FA624
                                                                                                                                                                                                                                      SHA1:E63BBFC1452DB5EA6A57A1B5AE50E2C03E758A29
                                                                                                                                                                                                                                      SHA-256:DD73348A85A38D063A0DDFED8EF10DAACC1C30CC3AE801E9D098EDF8E4833EA2
                                                                                                                                                                                                                                      SHA-512:B0A6254F2B4DB36614DFD2B2C2F6CAE70C6504ABBAC5F18139590AAC4DD71DC11B5D0102AFF85E92660F917D752193F117273A934575D0A55441A9F1DB0AAE7E
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@......A"....`.....................................O.......................P(... ..........T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........N.................P...(.........................................(&...*^.(&......J...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*.~....*.0..........(....,..*..(.....o'......&...*...................0...........(.......((...-..,..*.*.(....,.r...p......%...%...()...*..(*...*.(....,.r...p......%...%...%...()...*...(+...*.(....,!r...p......%...%...%...%...()...*....(,...*..,&(....,..r...pr...p.()...(-...*..(....*.*.(....,.r...p......%...%...()...*...(/...*.(...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Configuration.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):27728
                                                                                                                                                                                                                                      Entropy (8bit):6.551066390151139
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:Rr0yw26S3QgV/UxNmsUspvnipmgNRLGc3WxsBU7RWPpNyb8E9VF6IYijSJIVxfj8:Rr0j26i92L6zBU7qEpYi60m7
                                                                                                                                                                                                                                      MD5:0B26D5C7509CE13F88CEDD513719750E
                                                                                                                                                                                                                                      SHA1:95014FA4FB133B6F9810D03AB7C0556DAC22E4D2
                                                                                                                                                                                                                                      SHA-256:C85323605DFDE235F9C0E7C8AB25FEB3BFDE3CDD10A53BF86352992375A02228
                                                                                                                                                                                                                                      SHA-512:482492B666A970CF662E1B334885102B047B73A48685FDB1ED62BA59E2F954AECA4233E8DD19FB631C165505D7B665A848CF12582261A98F09BB5151AE390C04
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Dv2..........." ..0..:..........bX... ...`....... ....................................`..................................X..O....`..L............D..P(...........V..T............................................ ............... ..H............text...h8... ...:.................. ..`.rsrc...L....`.......<..............@..@.reloc...............B..............@..B................AX......H........&..X+...........R..`...xV.......................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Console.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):51280
                                                                                                                                                                                                                                      Entropy (8bit):6.366090837889375
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:TTGWFIlYoY5b3OxMZnndnnennnnnnRt3nV+JEtpzU+uujK2lBJqFsSjKcb72EpYO:TiKIe9JyvSCG2l+NT76w
                                                                                                                                                                                                                                      MD5:01C3D505F70553DA5CE5749B2072598F
                                                                                                                                                                                                                                      SHA1:F968657B17033E6C3DE5EE33F829EDAC3C0A9902
                                                                                                                                                                                                                                      SHA-256:41BB9C82269D3880590C76AE5D918CBD2F9A9A985E14167EDD4C46BC01EF0C57
                                                                                                                                                                                                                                      SHA-512:03A7A8D0DED1E071364C9F3C50AE6CD3DBE8B7E3D2DD7EDFA1DCD4D7A7150FA68F3E0DB67856F35ADA57D807A21B703B11293E9DA2A49B94E5D801633568AB4A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....D..........." ..0.................. ........... ....................................`.................................1...O.......L...............P(..........0...T............................................ ............... ..H............text........ ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B................e.......H........C..Hl..........H...h.............................................("...*^.("......X...%...}....*:.(".....}....*:.(".....}....*:.(".....}....*.~....*.0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r...p......%...%...(%...*...(+...*.(...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Debug.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):19024
                                                                                                                                                                                                                                      Entropy (8bit):6.631317912248179
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:mv+kBD/v7WJZVMWurNyb8E9VF6IYijSJIVxCb70T:mmMbumEpYi60GAT
                                                                                                                                                                                                                                      MD5:8E9B5EF88B7EBD9A0CC4E648B7C061B6
                                                                                                                                                                                                                                      SHA1:E67049110D70876111CCBE4303AC577797F4AA6C
                                                                                                                                                                                                                                      SHA-256:C2F3C2BED46301899721451BAF54E7703B1F803F5B91C88BFF6094D4970580E3
                                                                                                                                                                                                                                      SHA-512:CD0D600C8C6D42BC8FBFEFDC58E633BBE46398FD3ECB98601B8AD4DF88E4F547A937D9596DCC7A3CEB495F9828784CEE1F1EF1230380443A23E8C8F26123ECF8
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+8p..........." ..0.............>4... ...@....... ..............................W.....`..................................3..O....@..(............"..P(...`.......2..T............................................ ............... ..H............text...D.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`....... ..............@..B.................4......H.......d!......................d2......................................J.o....(...+(.....*..(....*.~....*.*.(....*.s.........*.~....*..(....*.*.s.........*:.(......}....*.(....*F(....,........*.*.0..p.........(....-.*..-.r...ps....z.....o......(....,.*r...p.......(.......,..(....(......%-.&.+.o....( .......{....(....*"..(!...*..s....*.*..(....*.BSJB............v4.0.30319......l...D...#~..........#Strings....x...(...#US.........#GUID.......P...#Blob...........W..........3....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventLog.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):25168
                                                                                                                                                                                                                                      Entropy (8bit):6.59691314093314
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:JzTu6iOUdGgvklNpdOHhvVhZQVW27FWcNyb8E9VF6IYijSJIVxC/po:JziZOwklFYh43EpYi60b
                                                                                                                                                                                                                                      MD5:7736B59E467AAEFA0EFA73937BE65733
                                                                                                                                                                                                                                      SHA1:FDE46F878FF3FDFFDACFECD9B0D86C21520F684F
                                                                                                                                                                                                                                      SHA-256:99AED0C536B3D9105D952A7D1C98CC19695BA80971904D3502E81E296391F09C
                                                                                                                                                                                                                                      SHA-512:6F0EAB6E45B8BDE078D34A6355FD2292AAD514BB413ACF58CF3385262F84215E53AE3900508A11EFC693D447B440F5D1D4C8D312908554B3624AC1A4E8F92F75
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....dn..........." ..0..0...........N... ...`....... ....................................`.................................GN..O....`..`............:..P(..........<M..T............................................ ............... ..H............text........ ...0.................. ..`.rsrc...`....`.......2..............@..@.reloc...............8..............@..B................{N......H........'..$%...................L........................................(....*^.(......./...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*..{....*"..(....*"..(....*"..(....*"..(....*"..(....*..-.r...ps....z.o....(...+(.....*..-.r...ps....z.-.r...ps....z.o.....s!...(...+(.....*..-.r#..ps....z.(....&.o.....(...+&.*..(....*.~....*.*.(....*.s.........*.~....*..(....*.*.s.........*....0...........(......%-.&r7..ps....z}......%-.&r...ps....z}......}......o

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventSource.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):33872
                                                                                                                                                                                                                                      Entropy (8bit):6.561493627348274
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:B2x4wbbh7Kx8kJ3yiW8/zKeGmBt1qm1CS1yvhGcRtquW3LUWbNyb8E9VF6IYijSn:fwvh7KxdlW8JvrpEpYi602f
                                                                                                                                                                                                                                      MD5:C293C0DA6B9366B6C4D4CBB97150CDD7
                                                                                                                                                                                                                                      SHA1:B02EF2864D7194803FAADAFD31CF5E7C8B1B98E5
                                                                                                                                                                                                                                      SHA-256:E32AA53CF8D54AA0B34274E654B40ABDBCFFBE7024EC4B72DF8EC7F9AFCD0BB2
                                                                                                                                                                                                                                      SHA-512:3ACEBB0DD1AE6A69BEB0C1AF55608EAE28AAD67523B93A7F8C277692EAF4A40D8565E8512B74F13661A217A2824E27A44E3655E727E2A63AF0E2469737EBF17F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W!..........." ..0..R...........p... ........... ....................................`.................................9p..O....................\..P(..........0o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc................T..............@..@.reloc...............Z..............@..B................mp......H......../...>...................n........................................(....*^.(.......E...%...}....*:.(......}....*:.(......}....*:.(......}....*:.( .....}....*.0..+........{....o:......+......o!....o".....X....i2.*:.( .....}....*2.{....o5...*..{....*..0..P........-.r...ps#...z.o$...~....(...+.o$...(...+('....o$...(...+('....o$...(...+('....*..( ...*.~....*.*.(....*.s.........*.~....*..( ...*.*.s.........*..( .....}......(......}......}.......}....*..{....*..{....*"..}...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):45648
                                                                                                                                                                                                                                      Entropy (8bit):6.39363345514802
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:/X8pDT8XP6hA+wMaLWCzAVLOPnaEpYi60w+:/XiDTaP6hfY1GOPnb76P+
                                                                                                                                                                                                                                      MD5:71A04A924FBC5D648EF852284D931ACC
                                                                                                                                                                                                                                      SHA1:51911CEFFE2FF1D7260BDF5CDF2C39929E1E1996
                                                                                                                                                                                                                                      SHA-256:7E4871BFBD64B01CF0876A0BF02099528FE130ADF31BDEB1016DC06206DD6AA7
                                                                                                                                                                                                                                      SHA-512:891006019659170422FB955B1153BB30F954DDFB758E3EB56E299642D7AB679741B1D37BB1850A900E25A4FA0B1C91FFDBA6B4A63D14C799E5686260B1F02FFE
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....+..........." ..0.................. ........... ..............................by....`.....................................O.......(...............P(.............T............................................ ............... ..H............text....~... ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B........................H........=...X.............X...H........................................~....*..0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r...p......%...%...(%...*...(+...*.(....,.r...p......%...%...%...(%...*....(,...*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.ConfigurationExtensions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):23632
                                                                                                                                                                                                                                      Entropy (8bit):6.628913155600511
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:toePm+VIkOdHt6Zx8HignlSZYT9zWzL0WVNyb8E9VF6IYijSJIVxD7PqF6h:fPzVIko9FD9o3EpYi60nXh
                                                                                                                                                                                                                                      MD5:1D1C608F502F58F376EBAADE561720F1
                                                                                                                                                                                                                                      SHA1:82CEE758BAF30579113C1C43ACF49B4A7535BD65
                                                                                                                                                                                                                                      SHA-256:685A5A14916A154BF39448A766D85E6B2BD8750C053C7AAFF43F7C75B6EB634E
                                                                                                                                                                                                                                      SHA-512:BF62B2EFBDC38C54AB5DDC1A0C2BF5B6EFAF875742A99F7A74FC4F809EC9E205DE2DB168A9DD5B66842C103FBD80515F515D1D04AF6E159BB00DD6CD56014B65
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..*...........H... ...`....... ...............................<....`..................................H..O....`...............4..P(..........tG..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......$$..."...................F......................................:.(......}....*..{....*:.(......}....*..{....*..{....*"..}....*V.(......}......}....*..{....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*...~....%-.&~..........s....%.....(...+*..-.r...ps....z.o.....o......(...+&.*...0..V.......s.......}......}.....-.r...ps....z.{....-.r...ps....z........s ...o...+&.o....(...+&.*...0..).......rC..p..(#...-...o$.....+...........(%...*6.~&...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):59984
                                                                                                                                                                                                                                      Entropy (8bit):6.314915840218046
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:DCD3yk2B8+9PwwOxC8wZLq6J4q2r0qafouRVPvW37EpYi60xRVt:+kB8+94xxBmm6mqaBafouRdi076YVt
                                                                                                                                                                                                                                      MD5:07DB1E7841F9B711613F9D36B49FD292
                                                                                                                                                                                                                                      SHA1:263A9888E154918D874F5ADC78F16525906FE7C7
                                                                                                                                                                                                                                      SHA-256:F63F865D19B252F8CBFD44BFB2C67542734E88D2A8BD720336FD3002A86D97BD
                                                                                                                                                                                                                                      SHA-512:8A73E111E98EDEC333999DFC2930747486D463F40BBA89F486AB037546E61C82ED57FCEBE9C76ECB487596F98F65B2D76D0357B379810FC1F82B4BF79B137757
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............N.... ........... ....................... .......A....`.....................................O.......H...............P(..............T............................................ ............... ..H............text...T.... ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B................-.......H........F.............h.................................................( ...*^.( ......?...%...}....*:.( .....}....*:.( .....}....*:.( .....}....*.~....*.0..........(....,..*..(.....o!......&...*...................0...........(.......("...-..,..*.*.(....,.r...p......%...%...(#...*..($...*.(....,.r...p......%...%...%...(#...*...(%...*.(....,!r...p......%...%...%...%...(#...*....(&...*..,&(....,..r...pr...p.(#...('...*..((...*.*.(....,.r...p......%...%...(#...*...()...*.(...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Primitives.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):41040
                                                                                                                                                                                                                                      Entropy (8bit):6.338955490792153
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:Glx+oQSHqk49NI0OP7NWEfDkkuiEk3LVi4EpYi60wk:QVQSyI0OP7NxfAkuiEkbwB76I
                                                                                                                                                                                                                                      MD5:2346448FC8741FDD8CB2FEC4A13A09C6
                                                                                                                                                                                                                                      SHA1:302E59E4AC137233191D1E0A4D09FD1E7D6A0D21
                                                                                                                                                                                                                                      SHA-256:88006DB3BA1F287D2F2389EE59A72CFB3E3076297A5EA0B1DA5BC1AE6991ECF2
                                                                                                                                                                                                                                      SHA-512:34435E18F0E19DE9627D28EF3FC572A96C16E1DADF8B58632C9B0FC90F2C05D3568A87619A46C59E82B199D1AD3132C4B7D340A699B7E14D60A1A621E7BA8A95
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c.;..........." ..0..l............... ........... ...................................`....................................O.......l............x..P(.............T............................................ ............... ..H............text... k... ...l.................. ..`.rsrc...l............n..............@..@.reloc...............v..............@..B........................H.......H9...E..........@.......P........................................~....*..0..........(....,..*..(.....o)......&...*...................0...........(.......(*...-..,..*.*.(....,.r...p......%...%...(+...*..(,...*.(....,.r...p......%...%...%...(+...*...(-...*.(....,!r...p......%...%...%...%...(+...*....(....*..,&(....,..r...pr...p.(+...(/...*..(0...*.*.(....,.r...p......%...%...(+...*...(1...*.(....,.r...p......%...%...%...(+...*....(2...*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Newtonsoft.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):697936
                                                                                                                                                                                                                                      Entropy (8bit):5.9631065670925505
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:+eos/POdGV5jfWrV/9Yeh9eRcyLfLYtT5mWxTZ/B7jW5JMtRRpKzQy:+0/POdGV5jfW5VnhFyvOB7jW5JMt0
                                                                                                                                                                                                                                      MD5:199D5DA16448D57D9688B0FC45798C9D
                                                                                                                                                                                                                                      SHA1:6063CCCDA4939CF8C943D663A475E0D190BBEE21
                                                                                                                                                                                                                                      SHA-256:D80BBBEA555AB41EEB4A9BE225392F699E2DE379A5814D3ACE544CCC74615353
                                                                                                                                                                                                                                      SHA-512:F2DDBD15834ABDE4CB49F60A5A1919F0B2EA633ED601050A541F095B1EF43B2A5BDB59781E81380A5A3D24DF37F4D986F088172C61799D33B2E4018EEB877652
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..t..........N.... ........... ..............................P.....`.....................................O....................~..P(.......... ...T............................................ ............... ..H............text....s... ...t.................. ..`.rsrc................v..............@..@.reloc...............|..............@..B................-.......H........p................................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{Z....3...{Y......(....,...{Y...*..{[.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Polly.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):285776
                                                                                                                                                                                                                                      Entropy (8bit):6.198436452323558
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:+MiAQB4wmESyxV8pj06e4isQ8gsHsjb/W1DBZ7DhsNcOb:+MZpj06vUsMjbQ77D+j
                                                                                                                                                                                                                                      MD5:E93FC4EAAD9EA0C4EFAE4A9BB02D3498
                                                                                                                                                                                                                                      SHA1:2448FEB521F3380C97E9DE43222B837DC5CD7D46
                                                                                                                                                                                                                                      SHA-256:FFC830BABC6AE1A9CA0015741935D5295C8F217E562BF5394EDA81017706A0EA
                                                                                                                                                                                                                                      SHA-512:147A185BCCA17B0F41234145F53FF3AFC2F8E9B41298144DC09A6E46653669BC221E3A293BD6252C91342295D866AFA61B66FAB09BD49D68C8D86D1F1F3B1270
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..*...........H... ...`....... ...............................e....`..................................H..O....`..L............4..P(...........G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H.......Xd......................TG......................................^.{....,.(G...z..}.....*^.{....,.(G...z..}.....*"..(L...*"..(M...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Hosting.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):38992
                                                                                                                                                                                                                                      Entropy (8bit):6.292917096352768
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:pdfuvOXFXW/8O6bXD+eeIgLPRsnHnyhQupytM9z7O3zfXYvj8rbPH5nTLhCPsIdk:pxuJRRsnHnyhQupytM9z7O3zfXYvj8rX
                                                                                                                                                                                                                                      MD5:844D54BBD438B9A7669244D635F5ABC9
                                                                                                                                                                                                                                      SHA1:930E1A3E21F1D499121D6071B6A6826FA38F0A55
                                                                                                                                                                                                                                      SHA-256:632E3017C032CE66014A51E89D0A8A43E9AEFF0E0018FB835D88283B547A86A5
                                                                                                                                                                                                                                      SHA-512:BA931F57CB51C13276BFA9B22FE7F28BAFFD0B797F4893E4FB1CCE3F66CBAA27036F982E219F1D82CD0F4DD16201FDCB2D5165F08C39B590E082921FCB33DF44
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..f..........Z.... ........... ...................................`.....................................O....................p..P(.............T............................................ ............... ..H............text...`e... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B................;.......H.......tF...=..................t.......................................2.o....s9...*6..s4...o....*..0..>.......sg......}......}......}.....-.r...ps....z....h...s....o....&.*...0..C.......sk......}.....-.r...ps....z.{....-.r...ps....z....l...s......(....*..0..{.......sm......}......}!.....}"....-.r...ps....z.{!...-.r...ps....z.(....u....} .....{ ...,..{"......+..}........n...s....o....&.*..0..U.......st......}(....-.r1..ps....z....u...s....(...+&.~....%-.&~......f...s....%...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Logging.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):27728
                                                                                                                                                                                                                                      Entropy (8bit):6.55235877778647
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:YSgpZUlMxR5I1z8w3Uta2lQBVMxzMJktYm+9HWXCYhNyb8E9VF6IYijSJIVxKtKH:YSCZUl2O1zCnXyzDeEpYi60ki
                                                                                                                                                                                                                                      MD5:66ECB4DF9FFFE28A3AD4CF7D94F26981
                                                                                                                                                                                                                                      SHA1:A10762FADF1AF95C6C685FBE130D9206F3F0B2A5
                                                                                                                                                                                                                                      SHA-256:B650B86C30FF78A47698DF672994AF7B0D247D558CA5A39FC81AC809C5E97215
                                                                                                                                                                                                                                      SHA-512:AAC4457E5FB735308DDC036E3CB7BD73E1151E6B8FB70919477ACBA9FF4A5F646C45F462091461A33409C20510C89E0CCFA046A4082A222F8985274F952D1F35
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....m..........." ..0..:..........vX... ...`....... ....................................`................................."X..O....`..h............D..P(...........W..T............................................ ............... ..H............text...|8... ...:.................. ..`.rsrc...h....`.......<..............@..@.reloc...............B..............@..B................VX......H.......H...H(...................V........................................(....*..(....*..-.r...ps....z.-.r...ps....z..s......o....*v.-.r1..ps....z...s....o.....*...0..V.......s.......}.....-.rA..ps....z.,..o......./...s....(...+&+...{.....s....(....&...(...+&.*...0...........-.rQ..ps....z.o.... ....1..{.....o....*.{.....o....t......,..*.{.....o......{..........(.....{....o.... ....3..{....o ....{......o!......,..(".....*.........U.4.........s#...}.....s$...}.....s%...}.....(

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Sinks.File.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):41552
                                                                                                                                                                                                                                      Entropy (8bit):6.319744600570524
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:+bUqoXsEgfFHoiikZ9y3BHdD+XR/tGo06BCEpYi60U:LLrgfPw3mXREaD76d
                                                                                                                                                                                                                                      MD5:DD5803D458FAB3FAA46BACBD49188A64
                                                                                                                                                                                                                                      SHA1:C16F2ECDED642B9A47A973558EA9A5C5612CC6D0
                                                                                                                                                                                                                                      SHA-256:A56FEB730AF4C3D615855BC12CFBE08F473CC147EC9F878D5F4EE21FC81A9CC2
                                                                                                                                                                                                                                      SHA-512:3B28818A52242977094536F27EB1E75D5ED8AD3A364CB613199F2D4D7D794E2B208B3470563BE0432E8F30FF13B72416A4EB32F0FA9D96C64BD5857A2F596E02
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z..........." ..0..p............... ........... ...............................<....`....................................O....................z..P(.............T............................................ ............... ..H............text...$n... ...p.................. ..`.rsrc................r..............@..@.reloc...............x..............@..B........................H........<...O..................X.........................................(....*^.(.......D...%...}....*:.(......}....*:.(......}....*...0..,.............................................(....*.0..*...........................................(....*...0..(.........................................(....*.0..&.......................................(....*...0..S........-.r...ps....z.-.r%..ps....z.-.r/..ps....z...s ..............................(....*..0..V........-.r...ps....z.-.rM.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):138320
                                                                                                                                                                                                                                      Entropy (8bit):6.1600142991276
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:IobKO7RaoWuUeZk/f0Sh1HlWZm1ZZTdyGFkNUMT+P65jDt4Ni:VbKKz1UeZk/Phv8lDuPad
                                                                                                                                                                                                                                      MD5:E383F6A50EB79DD0F34AA7F56CDC0C6F
                                                                                                                                                                                                                                      SHA1:9355A89B24EA73429664C4B29B24C8DEDE63882F
                                                                                                                                                                                                                                      SHA-256:95A1242A546713B4558DA3695B16F1A219FB1F0D5DE0F8576AA95FE475385C41
                                                                                                                                                                                                                                      SHA-512:785955AE8363591057FC90491631DB316C91F2827292C84F51EEF09E1D25E7D83F2A77D3721DA27E8B1ACD1C7FFE00E83998F87ADABEE97DFC7CF82DFE5E0041
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\..........." ..0.............6.... ... ....... .......................`.......f....`.....................................O.... ..................P(...@..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......h...0O............................................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. ... )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0..b........r...p......%..{)......%q.........-.&.+.......o2....%..{*......%q.........-.&.+.......o2....(3...*..{4...*..{5...*V.(+.....}4.....}5...*.0..;........u......,/(,....{4....{4...o-...,.(.....{5....{5...o/...*.*. .T.2 )UU.Z(,....{4...o0

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\System.Diagnostics.EventLog.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):52304
                                                                                                                                                                                                                                      Entropy (8bit):6.147960758267006
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:Ib1yYPvLtCJY0E+F3xeHwNaleirtqCVlXmL+7NQ1OaY7c0EpYi60OD6u:Ib1yYPL0E+F+8inVlXNP7cN76LWu
                                                                                                                                                                                                                                      MD5:2B1314FCC0FD24FF3BBAF5CE9F477E4E
                                                                                                                                                                                                                                      SHA1:F3E8311CE660FC8BDAABEA6CBDA8073138A0950C
                                                                                                                                                                                                                                      SHA-256:CE284908174703B19C8F81B471C26BE0164DCA0B282A55E8D914082E99CF2D90
                                                                                                                                                                                                                                      SHA-512:3D37EBECECDEAD674261F0A96FA5DC42A77F0D1C5BC60CE50273A401510D27F5B667AF68483642F784E371456A21BEF8D379FEE95EFC7D56ED3DCF9AF608BD0D
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D............" ..0.............n.... ........... ....................................`.....................................O.......................P(..........,...T............................................ ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................O.......H........4...h...........................................................~....*..0..........(....,..*..(.....o'......&...*...................0...........(.......((...-..,..*.*.(....,.r...p......%...%...()...*..(*...*.(....,.r...p......%...%...%...()...*...(+...*.(....,!r...p......%...%...%...%...()...*....(,...*..,&(....,..r...pr...p.()...(-...*..(....*.*.(....,.r...p......%...%...()...*...(/...*.(....,.r...p......%...%...%...()...*....(0...*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):799856
                                                                                                                                                                                                                                      Entropy (8bit):1.7597847647294211
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:g/r3V645uWOL8/pCuPHnhWgN7acW5RjroUEKup3JdqnajvsKyhr:gx6Yi/uPHRN7y/oU7aJdlrsKK
                                                                                                                                                                                                                                      MD5:6A205C78D14FA91EFCA3AE531D1FF7E8
                                                                                                                                                                                                                                      SHA1:9E26E81DFDBA74AE261912993DE875D13BB0891C
                                                                                                                                                                                                                                      SHA-256:6444DFA03609248EFFD398E8562AF484AD0163A6C47CEE6D3A287FFDEF809AD2
                                                                                                                                                                                                                                      SHA-512:FD797F528519BD9B864394C2A45AFA5C7F94F58D1F2B55E0017987FB521C9F7292DBE1366BE778E60352FA8F9A08C10B7299AEA39DEEEE3A164BB105857FE7ED
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1.$..........." ..0..............(... ...@....... ..............................Ap....`.................................q(..O....@..l...............p$...`......h'..T............................................ ............... ..H............text........ ...................... ..`.rsrc...l....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings............#US.........#GUID...,...l...#Blob......................3..................................z...............\.....0...........-.................C.................[.....x...........D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.,...3.H...3.^...3.t...;.....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):132200
                                                                                                                                                                                                                                      Entropy (8bit):6.172481694612173
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:/Nw50BNfe5FxLyWnongSwUp+k7bAMZ7cPd:CKNfQxRncgS7bBZ7y
                                                                                                                                                                                                                                      MD5:2D13C1C8539D6FD7A0717941BF0357AF
                                                                                                                                                                                                                                      SHA1:0E70EA88A866BAF660950FE74482149456557BDC
                                                                                                                                                                                                                                      SHA-256:644BB3A1AFBEA6B835422B0987376F04796E38BBBECC08C94023638EEBE57F4C
                                                                                                                                                                                                                                      SHA-512:A52AE3560B22C354F5CE89358219A7FA2FEAA12B376F72B8B53E6ED5E4B02703777CF1678744E7C038C29616975C0E63DFE17BFCB0A9D53B394452EC17AD979F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.D..........." ..0.............&.... ........... .......................@.......(....`.....................................O.......................h$... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......................D.......\......................................."..(,...*2.{-...(....*"..(,...*2.{-...(....*"..(,...*2.{-...(....*.~+...*....0..........(+...,..*..(6....o.......&...*.............."....0...........(,......(/...-..,..*.*.(+...,.r...p......%...%...(0...*..(1...*.(+...,.r...p......%...%...%...(0...*...(2...*.(+...,!r...p......%...%...%...%...(0...*....(3...*..,&(+...,..r...pr...p.(0...(4...*..(5...*.*.(+...,.r...p......%...%...(0...*...(6...*.(+...,.r...p

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog.zip

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                                      Size (bytes):884059
                                                                                                                                                                                                                                      Entropy (8bit):7.999612287779511
                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                      SSDEEP:24576:D6t1vLPPzxa8UerrEEZHU6GyeM9HTbXP2IUKzE0F0G3fKF:Upa8rr5HRG09H3f1XA0C+KF
                                                                                                                                                                                                                                      MD5:4FD4FCEFFFE84EED99FBF353B5A2E80C
                                                                                                                                                                                                                                      SHA1:176347BEF5FB8D85D2D1F2DE99A34AAE4B5D8AB8
                                                                                                                                                                                                                                      SHA-256:B75A587D511A0B8CE67C0B1649B6046BE99F625FF3D76A6CD1218C3B316A2926
                                                                                                                                                                                                                                      SHA-512:D5B1D9A7BCA266DFCB38DA2213E62E6EC75C39B5F5DD73F7DA28E06528C61F8D5CBC5A203418536B9DB58E1BE66627145F0E761C4F588C0DB157D3D1BB7D0808
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:PK........&n.Y................Agent.Package.Watchdog/PK.........n.Yv...d......7...Agent.Package.Watchdog/Agent.Package.Watchdog.deps.jsonaz.....IU`.....g].a...A.....4......A..=mb....5..._....#kBG.}....}.44.P^4..I......Y..4.....)Y8u...q.......$j.."{..z.,I.{......xI..<.i..?..$.....&@..T..[.s[x,}e.//.m.Tt..{.a[P.....3./R.Q..-.A...n..m{ .....0.M.|...rD..N.qp...~s.A......D....Z...-"B...yIqw.XY..{....a........H..A..+.R=.xYM.H.,......._...W}...'..KtA(.......=n..&....v..O.[e.@...lEc.A.4..o......$.A..l4.]M...x.;..r.B.v....u...e...T...h...[...Wh/yt.)..Ra.!w|~.Y....H....g....pYe.(....s.8W..CD.y}!y.$.o.@........|!gb.[.=.=...t..g....H.\rx..4.\.1..H.@-6....l.q...".0&..h..n....n.2|)..E.>..0.~X..l,O=.......I.x....*.6.aA..L4S.}|.Q`.........X...P........TiD.&B..cA...0..p...k.....iM.H..)_.^..-.f0."..8.2.....)jL...d..w....<".........n.Ei.2.`71g...s..:..a.m.t.z....../~G....vD........6r........8p\../..,p..4...G...K..z)lr.....?.;.|aW.J.@..W.1j..%$......Q..h..%...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote.zip

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1152141
                                                                                                                                                                                                                                      Entropy (8bit):7.9996934105504405
                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                      SSDEEP:24576:Y0MtJOalt7fQwfM+tshGvx5LBhqAc9sDQPfs8+5iaSpFiz:65Lm++hGZ5LnZMO8f+5Aiz
                                                                                                                                                                                                                                      MD5:9A9B1FD85B5F1DCD568A521399A0D057
                                                                                                                                                                                                                                      SHA1:34ED149B290A3A94260D889BA50CB286F1795FA6
                                                                                                                                                                                                                                      SHA-256:88D5A5A4A1B56963D509989B9BE1A914AFE3E9EE25C2D786328DF85DA4A7820D
                                                                                                                                                                                                                                      SHA-512:7C1259DDDFF406FDAADB236BF4C7DFB734C9DA34FD7BAD9994839772E298EBF3F19F02EB0655E773BA82702AA9175337BA4416C561DC2CB604D08E271CC74776
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:PK..-.....}BrX.j5.........-...AgentPackageADRemote/AgentPackageADRemote.exe....0........d......0.....r...,.. UMA...|f-].=.U.j..p.....r..f.<..Z..g}m..LC.T.....Y.{s\.k... Y.....4..}..h.<L......L.........z.i9.K..~.ue."#"r.r..p..0.\./R...C.w..8..-.3.t...(.c..P..N....q.v&........u.a.e...]...9....r.@.=\v..B.~{|c.j.S...JL!g..Y@Ts9D$...)P.......{..8...Y...K...Z._".@.....a.8.P..7...ZY.-D8f\..ej.....@.w.$R>Q.B.....V..@..9....zdB..x..GK.....LDp...Xc......x......*.u..R..,...#...Q,.V....}..W....oT.._6n.g..bK.p.s...pABSv0.7..'.JK ....b.Y.-.B...!'Tjsn...."V......B.@.<CQ.K....>D.5E..w.'. ._%E..-......7.M..u1nr.7....T[.%6..t...Z..Q.;./....k.V....J-.\`..d...K.c. ..D.G.j.../..z..k.KH.....!..M...8....fr.......m....2..4-... ..CF...skN*.kv.E[3."gi3.Uv..*.S...n..~...)..!V..>...D..2..b..}..xW.ZPd..X\.g...1.RY.u.]p..Z b%r.....Hc.N.+[E...Q....3.K.H.....)NQ@L......./2.v..q...*.-:%... "...`...i..+!.D..q.];.ARRrQZ.B. i...M...Qy$.....p...A.U...=...LHF%...]..l.S.pl1....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):52272
                                                                                                                                                                                                                                      Entropy (8bit):6.139785828189609
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:avB4oeg/Po2Obb95bmrpeALHpZAgEpYinAMxCC8:ruQpbHbklAp7Hxx8
                                                                                                                                                                                                                                      MD5:3180C705182447F4BCC7CE8E2820B25D
                                                                                                                                                                                                                                      SHA1:AD6486557819A33D3F29B18D92B43B11707AAE6E
                                                                                                                                                                                                                                      SHA-256:5B536EDA4BFF1FDB5B1DB4987E66DA88C6C0E1D919777623344CD064D5C9BA22
                                                                                                                                                                                                                                      SHA-512:228149E1915D8375AA93A0AFF8C5A1D3417DF41B46F5A6D9A7052715DBB93E1E0A034A63F0FAAD98D4067BCFE86EDB5EB1DDF750C341607D33931526C784EB35
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0................. ........@.. ...................................`.................................p...O.......................0(.............8............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........B...s............................................................(....*.0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..(....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*.0..........s....%.o...+o....o...+&%.o...+o....o...+&%.o...+o....o...+&%.o...+o!...o...+&%.o...+o#...o...+&%.o...+o%...o...+&%.o...+o...+&%.o...+o(...o...+&%(*...%.(...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1782
                                                                                                                                                                                                                                      Entropy (8bit):5.026919218581437
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:3rrb7h+1/gYo27RgdSagFsg+w3Sg+CjdgDt:7rn4cwCR
                                                                                                                                                                                                                                      MD5:13CFEB2261E4DAEAA3C06F7A60078F91
                                                                                                                                                                                                                                      SHA1:D76B6D07D8FEC75789025FBAB18048AD193B1462
                                                                                                                                                                                                                                      SHA-256:6BBDCC477F0C1EFBD0129AC7716F96CC2844103169AAEBFF03D4C8F5C54745D6
                                                                                                                                                                                                                                      SHA-512:F804155363FEB09427F7C8E968EAAA7DDA15F739769864A23C8A0FC9137151A03F02FB30B11F47A69DDCEFFF02BF933721C3757A3FB78C705D0537205BBD3A92
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <d

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.ini

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):11
                                                                                                                                                                                                                                      Entropy (8bit):3.459431618637298
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:WhTLV:WFLV
                                                                                                                                                                                                                                      MD5:530F2E4E5E3DDA283DB3C78CC0C13297
                                                                                                                                                                                                                                      SHA1:CF60B778D32C9562B94411DA9DCD8FED2017AB84
                                                                                                                                                                                                                                      SHA-256:447163A4A3F1F10AFD9EC48F915085B3236F0FA7EDC9973C16925EDB5F6CF0CC
                                                                                                                                                                                                                                      SHA-512:DD4F7AF9A0F57707D1924BB504D3FC267B4898B909CF6E6ECD274BBC9B487A5CE5D8000E3FAD6EC0061E565C728455965C91F1B4E380227264AD2EE3E2990E28
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:version=6.0

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):95792
                                                                                                                                                                                                                                      Entropy (8bit):6.184818983275012
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:GQ7brNBoXFbuhpLHbTOgemUu7+n3uRw1FlQRd5JY4t5K56y0sDrUfvPrhZwLXF7X:GQ/iwLWgeW+neRw1Hyd/YCs56y0sXUfG
                                                                                                                                                                                                                                      MD5:23C8674C75D5944445BF1C035E4A4789
                                                                                                                                                                                                                                      SHA1:A1255CEDEAC9F9A04B50C7814CD7C61A50623A19
                                                                                                                                                                                                                                      SHA-256:D2043F878740F643BF91F3EF798DBB9747904A1D503AAC4ED2108131F663AB37
                                                                                                                                                                                                                                      SHA-512:52ABA8350A05E9E5A672CB04CE528CFC4DA009247B2BD8B63096AF9A37C1F352A4C2BD12B03973AA1E733551F94F542814E425223DEF2AA33B595AA2DC555A95
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Bd.........." ..0..D...........b... ........... ...............................{....`..................................b..O.......8............N..0(..........la............................................... ............... ..H............text....B... ...D.................. ..`.rsrc...8............F..............@..@.reloc...............L..............@..B.................b......H........j..l............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tQ...r...p((..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):95280
                                                                                                                                                                                                                                      Entropy (8bit):6.002764283325334
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:ocNQW9Tbp/VgiZi7sT5gdBxYJMcTnbJkI+eD7HxSR:ojobJVgiHMcr5Da
                                                                                                                                                                                                                                      MD5:10961147A546FFCD8B7C19771BA70198
                                                                                                                                                                                                                                      SHA1:5B63EEA0B2E53DB81AFB146D469E899E1E67DACF
                                                                                                                                                                                                                                      SHA-256:95C53735107ADCC39E6C3268335B2AD434E2364A007CC97B2147AF3A6EE837F3
                                                                                                                                                                                                                                      SHA-512:9830450FF9E8D2E6B74D8D8938A18DFB1BA008249D389FB923D5AAA25B7F8F9E5BAD4CB3FC13100C5F53B0CCEDA4E9427E90F2B733EA9BE0FFAA5D5F165C815E
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............" ..0..B..........Za... ........... ..............................~.....`..................................a..O....................L..0(..........``..8............................................ ............... ..H............text...`A... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................9a......H.......4i..,.............................................................(......}......}.......}.......}........o?...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po#...o....*..{....o2...r...p.(....(....o(...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16432
                                                                                                                                                                                                                                      Entropy (8bit):6.656654225594367
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:5Xh+/DtYchNyby2sE9jBF6IYiYF8pA5K+oCGUHFeFl5XqQ:5Xh+tYmNyb8E9VF6IYinAM+oCaFXF
                                                                                                                                                                                                                                      MD5:96703E15C375B8A701C9D1F5BE8C4149
                                                                                                                                                                                                                                      SHA1:B058FA32FBDA52D70C1B966640B4824D5487ADC4
                                                                                                                                                                                                                                      SHA-256:3F830FA8F22EB09D59088705E26DCE964FB430722E91630B03EB15FCC48359A0
                                                                                                                                                                                                                                      SHA-512:3D7515BBFD018BCB24C69235A65F401BCF00D6932E412696FF31DC6EDE9436B2D4E5983450C9F88AF7B52D18949B4C1EFFEB9C3F94E85DCE57C4495F21D21A86
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ....................................@.................................",..O....@..(...............0(...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):52272
                                                                                                                                                                                                                                      Entropy (8bit):6.410547751816252
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:KQMnML8f1VNPa7fb8LRaIzlRK/usybUjuUY0vZKE8tcqPqZw+I39Wu1FEpYinAM/:K9ML8LW/usybGYVE8mZw+89Wu1e7Hxas
                                                                                                                                                                                                                                      MD5:20FC2DB17D09554BBC37785B3644DFC3
                                                                                                                                                                                                                                      SHA1:AAC4CA54730DB46145748AB419CF6BE3B39D2A74
                                                                                                                                                                                                                                      SHA-256:4151D6C627A324D9F2991A4D98BB7544926DB41B3211EDC1B2085922B1D1FC46
                                                                                                                                                                                                                                      SHA-512:62F6711FD2861BEA0FC214882678CF7F98CB53E8AF858C46CCC1F5B1F2FF9C22DCBD3A184A9DE9AD2D2148F0B529426DE7F793A63A459D72D2DCB048DF4E40FD
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&............." ..0.................. ........... ..............................&.....`.................................>...O.......4...............0(..........t...T............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................r.......H........E...s...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....P.........io ...&..i.X.P..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....P......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):398896
                                                                                                                                                                                                                                      Entropy (8bit):6.13440642371392
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:hjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/Zmvr:h+e55LgIkTmyAAfTnMLvr
                                                                                                                                                                                                                                      MD5:A79C5395D945A1A369EA05D73B1170E4
                                                                                                                                                                                                                                      SHA1:937D030106FD7E88B61E4F4D1AC28A3B9FFA0AA4
                                                                                                                                                                                                                                      SHA-256:7580F72E7059A9DBCF41C94DC69ECCA0B3A983C010DE86B9A509A701163AFEC0
                                                                                                                                                                                                                                      SHA-512:176C719C2595A6A01041EC240D5341FAC5AB6137756FD70F71A1B5C5A6E9A923FB61760808840D439CDBAB70ADFAEE137B13600875E0BC3A209E501DB84C2AAD
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`.......^....`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):883760
                                                                                                                                                                                                                                      Entropy (8bit):6.071525670553409
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24576:Y1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQm:Y1n1p9LdRN39aQZUq3
                                                                                                                                                                                                                                      MD5:022108AD251A8942E295269CA824DE07
                                                                                                                                                                                                                                      SHA1:05CE96EB21FF69C5ACE572405A39936E594B7043
                                                                                                                                                                                                                                      SHA-256:353FC27D930C31219086C6D391B0502AC298F6084DFCB3EA423DD1DAB3BA1907
                                                                                                                                                                                                                                      SHA-512:49028D3C1C7C8FAE813F294577B97EB0C66F2D62DF880072AD59679460D55A6DEB1546DDF07A7353563910E21F4D53F5FCB4BD421887D7B75429083CA200C16E
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ....................................`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):710192
                                                                                                                                                                                                                                      Entropy (8bit):5.960711597816388
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:yBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUc:yBjk38WuBcAbwoA/BkjSHXP36RMGl
                                                                                                                                                                                                                                      MD5:25879E885A79F4548FD878EAF4A82396
                                                                                                                                                                                                                                      SHA1:AFB8D0BBD5687D2FC19C7A3FB66EA3DF1886DB8C
                                                                                                                                                                                                                                      SHA-256:3DF7B27F8649C95C56F1F68A040F29FB28EFF6756F8BA78C480DFBB541E59E4A
                                                                                                                                                                                                                                      SHA-512:39EB28B89A077D37FC8076A364B26ADFD348F6DC891AC08FACCFB071D3806C32AC0A3A5D82E8D4DE01DF6F9E1C4271CCABFA8FF7248CF6886BEF8FE4BDE51B6F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......5.....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):284208
                                                                                                                                                                                                                                      Entropy (8bit):6.117274836584594
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:NZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHU:fgo0WPVTXg0
                                                                                                                                                                                                                                      MD5:66DEBCC5962642D31706EA1B067288A3
                                                                                                                                                                                                                                      SHA1:FB6A76C0E5189F66FE1D0E192349077A45BF437F
                                                                                                                                                                                                                                      SHA-256:8CBC47B453EA20F1EEA3337981A1A975A16B68B27AA156831D2B4AD0B63EA980
                                                                                                                                                                                                                                      SHA-512:5C485C7D319BA9C019FBDCA48833D3628E6D9EA6F3AABFA47A519C363BA81D11265427FD470D5D665795B010A26E751DA404DBD70895E5EAFC83CBD50D83ED2B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):22064
                                                                                                                                                                                                                                      Entropy (8bit):6.676829122620627
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:Ty/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqXLP:TuhMaVmzDC67EpYinAMxC5
                                                                                                                                                                                                                                      MD5:C3CBDF33261AA0BAA8C11B4D713BA911
                                                                                                                                                                                                                                      SHA1:A486A2CFA6EF16B9DD005C689C767E47BF18D5A6
                                                                                                                                                                                                                                      SHA-256:0BD8B6B5D401001A2003486077BC095A2138B42DE7A52B212BD7A4AAD72A9E35
                                                                                                                                                                                                                                      SHA-512:132600340186128C7B8EA40D77DE9E5359A52949E7EE815CF959E2000A6EE178FCE26A2AAA2EBC56A48318EEAD3038189567CD5D14F9E977780373649C83F41D
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):97328
                                                                                                                                                                                                                                      Entropy (8bit):6.241615255803021
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:rNSbHB6zBedWp71O37rGMsQ5gbDnTE8iayI2Sf+Ku6JhbDEhr4WTJ7HxhP:rN3OWMsQ56vd2s+KuYc9RTJrP
                                                                                                                                                                                                                                      MD5:259DAAE7BD386F6AE1C50DEF93F9A274
                                                                                                                                                                                                                                      SHA1:70E68497781C4E7B931B11E9EFE702ECCFBC3AF7
                                                                                                                                                                                                                                      SHA-256:859758492E07C9297C1C5A0A31FA30129C23D479F442ADE01F4A51F78A0DED08
                                                                                                                                                                                                                                      SHA-512:8D25CB5982E2D8A5EFA0056C120E1BD5AEC7E28DE4DEEC9BFA2BAEBFB0FABDC4A12369F901C8415CDD3402C9A0E8F8F338C1C5E3FEB1A2C0F45ED446AB80701B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0............" ..0..J...........h... ........... ..............................d.....`..................................g..O....................T..0(...........f..T............................................ ............... ..H............text...4I... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B.................h......H.......L...............<^.. ...\f........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):138288
                                                                                                                                                                                                                                      Entropy (8bit):6.18032959054322
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:g3XFz0qjCIPMAxlUXUKoPfw0kG71AHK7cnJ:S0qjCSRE+fw0kG71S
                                                                                                                                                                                                                                      MD5:CC3FFADF699BFB7F10A176AE306707E8
                                                                                                                                                                                                                                      SHA1:C0824E4E57FEBEF32E904E540BA369BB77ACD15A
                                                                                                                                                                                                                                      SHA-256:D48B4C4D3BED0F4662B98E557A0EDE24B6C3745E7BFFC114164A2FD33D947904
                                                                                                                                                                                                                                      SHA-512:BC648768FA54D6F9A0FB70CE88960EE2137712FD7056F8FF28D2E222871D2FFA96B97C81E21D84CD71EA336F29D28977EAB57D858B2B7D1D7C7B2B01BB455C32
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6wb.........." ..0.................. ... ....... .......................`...........@.................................?...O.... ..@...............0(...@..........8............................................ ............... ..H............text...h.... ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B................s.......H........ ..............\.......D.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):17968
                                                                                                                                                                                                                                      Entropy (8bit):6.672454142602205
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:Nh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeB7f5DxmX:Ny9eEpYinAMxCA7xDxmX
                                                                                                                                                                                                                                      MD5:2BBEC1A6C6C64499CE0A4EDEA5D0C629
                                                                                                                                                                                                                                      SHA1:A1C39059B887B7A1BDF93CAB3237413D5948BE26
                                                                                                                                                                                                                                      SHA-256:D80E6D1C2A0850A2FDCA5F16A259130B08DDFE968CDC137253221CD4600D53CA
                                                                                                                                                                                                                                      SHA-512:B27639E9D30FD23461723708D4067C99AA3162FD8EF935AD5DA75776EBB46F2D11BD0FCA211BE35A195CE3020E10E063F66FDDDEAC0624392143B856DC23C174
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ..............................q.....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):384561
                                                                                                                                                                                                                                      Entropy (8bit):7.999363646163921
                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                      SSDEEP:6144:Dyg677hm03WpEpp2/8LWX+Kh9o3zYerEz7MLHIqbsauawNMGRSManfY+bcQ/lqNl:Dyf7hm03Ls/OWVh9oMaEz76zwfEHY+lM
                                                                                                                                                                                                                                      MD5:698975AE4AB57FED99CC170DAB8A3E36
                                                                                                                                                                                                                                      SHA1:04B0067BF8584F9D41EF156F75FE28982BFB1286
                                                                                                                                                                                                                                      SHA-256:20FFBCF807587C9A0B13C46406B52927BF0A9965EFE12DB25FCB729E6F1CE7B7
                                                                                                                                                                                                                                      SHA-512:172E65C7657D1FE250AEAF422230C104D03F16356AA32D7B1077ABDD558B69AC4F4F434FA551117AF1CF6FDB74364237E50EF693B2F4201C8475439B6DE77AA6
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:PK..-......F%Z............=...AgentPackageAgentInformation/AgentPackageAgentInformation.exe....(.................O.3..%.Y~......{.....#.8-eG{AT.3.@.g.=1.q[....l].l9y@..2&.}K..t.EH$...uS.+.`=xz._3.fcq..NK... oU.t...1^..c.m..;..w.&....M.......RL.,........M.G.}....e....."..0.N..D?.\q..>.2....pv.(^...."..q..F...?.B4..v.6..K_-t....)Cr....C...K.QD.....3...g..Z1.2VV..L.l...0.U..M.'F:]Z.."...jL.../...U.v.....{.tU.~.......l.aA;.....2.l.F.8"...><t..lTr.'..ce.`dSp.$.l...].. .X..7@.+..0....;0..c..J..C...kb....s.Q{O.Wts...)..N...%..T...q...oo.F..;7v.h....5m...B...:8^n..+..v...N.\...3.D..zI..\...Q>S...!E...e.:.3........m.(@BO.._k..{.....E."..T.7.l....+=-..xO..I0.x..#......9....^.`..cy.*0Q}>.b..H.l..x.M..l.jS...~...L."q..9".....e..1.'......J..P.D.}...O....h$./..Z_...K....J..../...?...b....:.._.?.7..s....O.X@.....J*7..".....A.............r;..<..g8..:.p.'X.[.........5tE+Z}p...4...~.&...W."....2.2......y(...e...A....[..x..5..:H..S.i..`&.t.&.l-..:..!.y..}.q.....Z}6...0.M

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):186408
                                                                                                                                                                                                                                      Entropy (8bit):5.7421661476686365
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:QPF+XpxWhiIx4oCIXLGRlsZuPfzh554bD0CJd4bDgoVBLv:UM5ohiQ4DIXLG3sZuaD0dDN
                                                                                                                                                                                                                                      MD5:9D8D50D2789C2A8D847D7953518A96F6
                                                                                                                                                                                                                                      SHA1:42621852B40F3F068DA5494C9879F846B4869399
                                                                                                                                                                                                                                      SHA-256:76AEFE9205BCE78D4533500E6839E892B7D80EDC39ABCD30CA67952925302B29
                                                                                                                                                                                                                                      SHA-512:91EA7152762F00FDFBC6CB8D5D15C2E07BC298AF8958406B0B0FB652EE3D4A4DA9D79CA7DDE47DC7700285B20CBA089F35745C2B3B84B9DC0D258BD9BDC89F56
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Gzg.........."...0.............b.... ........@.. ....................... ......eA....`.....................................O.......................((........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................D.......H...........0.......,....................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o .....s!...%.o".......o#.....s$..........s%...%......io&...%o'.....o(.......o)...o).....(*...*..0..........r...p... .....r...p.(.....o......(.....o.......(+..........s......[o .....s!...%.o".......o,.......s-..........s%......i.m.....%......io........o)...o)...(.........o/...*..(0...*..{....*"..}....*..{....*"..}....*..{.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):546
                                                                                                                                                                                                                                      Entropy (8bit):5.048902065665432
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:MMHdG3VSQg9LNFF7ap+5v5OXrRf/2//FicYo4xm:JdASPF7NhOXrRH2/d9r
                                                                                                                                                                                                                                      MD5:158FB7D9323C6CE69D4FCE11486A40A1
                                                                                                                                                                                                                                      SHA1:29AB26F5728F6BA6F0E5636BF47149BD9851F532
                                                                                                                                                                                                                                      SHA-256:5E38EF232F42F9B0474F8CE937A478200F7A8926B90E45CB375FFDA339EC3C21
                                                                                                                                                                                                                                      SHA-512:7EEFCC5E65AB4110655E71BC282587E88242C15292D9C670885F0DAAE30FA19A4B059390EB8E934607B8B14105E3E25D7C5C1B926B6F93BDD40CBD284AAA3CEB
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>...<supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):12
                                                                                                                                                                                                                                      Entropy (8bit):3.418295834054489
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:WhWTn:WKn
                                                                                                                                                                                                                                      MD5:3FA173E4E1E00396A06E409935A1E7F9
                                                                                                                                                                                                                                      SHA1:089B85E04C266EDD6DBB678EE91DA656B19674B3
                                                                                                                                                                                                                                      SHA-256:297A53DB6DA22AA3EE4CE849C9952F08BB7296303A170C9DDC7ACEDE10B64C25
                                                                                                                                                                                                                                      SHA-512:D0C34B51E5599C01EDF4CA6ACC89186BCEA5B97A598C4F120B3063C171B9A1668BA5FF87014565360471973B30733A5521783FA3446BF376332AAD23A4325D26
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:version=38.8

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):96808
                                                                                                                                                                                                                                      Entropy (8bit):6.18015175056516
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:EJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvO1762C:EQUm2H5KTfOLgxFJjE50vksVUfPvO14
                                                                                                                                                                                                                                      MD5:93D5E2AAFBE16CADA057BF880002B2F7
                                                                                                                                                                                                                                      SHA1:095832AFB05852D692BD40D5F77EBBDD339BC545
                                                                                                                                                                                                                                      SHA-256:83333CE938E943AC54EA0428722D8F9D64D2BE993502CD0E95B39E2D78956484
                                                                                                                                                                                                                                      SHA-512:2E2391C315FD173634F262011A25C9E397BC8A1DAC8E86A039F52FF733534F57F2E00ADC995900823448A45933864E814E89549F41271FC9D7EFFD116BBF3854
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ....................................`.................................(f..O.......8............R..((...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):704552
                                                                                                                                                                                                                                      Entropy (8bit):5.9539626583477325
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:79BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3S:78m657w6ZBLmkitKqBCjC0PDgM5i
                                                                                                                                                                                                                                      MD5:50E3F5A0E04CBD99D4BE8CFE914C7BBE
                                                                                                                                                                                                                                      SHA1:19D99AE964F490E055942D516C60DFDEDC585825
                                                                                                                                                                                                                                      SHA-256:89ED8CBC24723D67AC7E47D0D018EA293F15FC210D9B3E26DC555F464E9B15CD
                                                                                                                                                                                                                                      SHA-512:2F67DBB41631B6134414D1685815DAEA7F38120D88F83CB8F83763CF18B1F6AA2B9A5A7EAEF816EB8A24998536556128C15128B4E301B765C859A9741D69BA25
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ....................................`.....................................O.......................((.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\dynamicfieldscaching.cch

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):4.649034468584015
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:hsShKF4MsShLP6SX9NfzyShaKf0OEGShaKf0Od:m4qBX9Nf14d
                                                                                                                                                                                                                                      MD5:D7C94336051E3DE4CA178E7BDD3BCFD1
                                                                                                                                                                                                                                      SHA1:7F6866C5837C92F2E40BCF5F7C9E1232A1A427D6
                                                                                                                                                                                                                                      SHA-256:DC261F013D63EBC30A7A6CBEABC09FC2E496636982198874A7B7E7C98C668E8C
                                                                                                                                                                                                                                      SHA-512:06D0941B3DF64C9737C4B8C9590E14E9F855065FCB78FBBDBC10913CBF5146CAF091454504AA3E3C0910884913A9CE159C467879A4932D55A2B98DF6B4FD5B46
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................TAgentPackageAgentInformation, Version=38.8.0.0, Culture=neutral, PublicKeyToken=null.....6AgentPackageAgentInformation.Cache.CachedDynamicFields.....<DynamicFields>k__BackingField.<Timestamp>k__BackingField..JAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto[]...............r>".4.H...............HAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto................................................................................................

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\information.cch

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):35
                                                                                                                                                                                                                                      Entropy (8bit):3.85416328885666
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:HTcfkBynHi:zcMoC
                                                                                                                                                                                                                                      MD5:20A0F69DC9F73DD7E7E73402594F025F
                                                                                                                                                                                                                                      SHA1:C62F7D7B5C8B7E4EA930FCF95F2A944F9DBDBF88
                                                                                                                                                                                                                                      SHA-256:EC75966AC98E6D60FF65914CA63F23585460523025963403807ACA46CEE1AC20
                                                                                                                                                                                                                                      SHA-512:F1FCEBECFE4B67A5A7D3E588F76930158FD3E63289F5F64A62E4BCD285E69030C20EFB1A809D7AE62E70BBB69AAE61320E378AC017D90E58A972F3BFE9C3B907
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.1E5620A822BD88A11655FC684BB5748C

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\update.cch

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):35
                                                                                                                                                                                                                                      Entropy (8bit):3.677028119136097
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:fc3Gh7UgzVchXn:f7NUgWn
                                                                                                                                                                                                                                      MD5:E49A5284D2F384905389D53944708C48
                                                                                                                                                                                                                                      SHA1:E455420E95EA0246B8B63A251B0E451ACD711B28
                                                                                                                                                                                                                                      SHA-256:33FD3B161AEC8867652C6B0707180ADC42C267EE9F66E33BF0CE70B55B4660B9
                                                                                                                                                                                                                                      SHA-512:E9EC60296F38F68EB6C6233094E50EF534CE44A91E6511097158D631673017F8FE316E1C11A494C29BD8BE6F94AAFBF9F4A9546E709694BD3CC98B12CD243FF4
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.2E69DDAE9D0D04A8ED39EECA359A9772

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat.zip

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):328916
                                                                                                                                                                                                                                      Entropy (8bit):7.999290842463468
                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                      SSDEEP:6144:EQjapzpRU64iYUQf9N4E/xWTUugwXWBoJW55fJKsff+Idm3lqd0LNIN/Hggh:EUaBXU5BjfcE5WTkwGRfQY+Om3lqdv5
                                                                                                                                                                                                                                      MD5:D3901E62166E9C42864FE3062CB4D8D5
                                                                                                                                                                                                                                      SHA1:C9C19EEC0FA04514F2F8B20F075D8F31B78BAE70
                                                                                                                                                                                                                                      SHA-256:DBC0E52E6DE93A0567A61C7B1E86DAA51FBEF725A4A31EEF4C9BBFF86F43671C
                                                                                                                                                                                                                                      SHA-512:AE33E57759E573773B9BB79944B09251F0DC4E07CDB8F373EC06963ABFC1E6A6326DF7F3B5FECF90BD2B060E3CB5A48B913B745CC853AC32D2558A8651C76111
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:PK..-.....'gqX............/...AgentPackageHeartbeat/AgentPackageHeartbeat.exe....0l.......?........F0..6\.q.......<.......I.3. &.;.........O.;d.&.U....".' ..}P..u+0.`g.Z..Zq,...w.1./..UD....F.a...B=.....!.. .=... .#7A.Q..o.........+q.C5 . 1..Ud...R>n..Y.9}>z.....yE7.}!sn....p1(e.....}T#>2/..y*7.@.<..J..q......3.4....M..."/"..cS....9pT.dn.:c...&..,H.e.....r...X#...m...V..ZP......+.h.R. .8.......!7FNa.`.P;.......P~..U.x.K.D8.&.vQ!..xn..~cNG.2._L.},..........:.J...S.y..-J...K.z.H.....z.G.6....d.b.[..9......Q.r.T........#..+..b6<...p.}......!.5.&l.E..4.F8..Y...."/.b.....................(.......b..&.6...t..%.(A..X{....H4....[.....}.......n0.:.......s..wQ.&.J\|j.....7=b+.L.t.l.0.{G.Jb.Jy.U.kG.....p-...^..g.4..RA.R..........~..5t4_...Z...h..J..........t...C3....{K.h...F..W$...U....-55....Hi.......m...............x..........)...F.p....r,}}L...i:q.Y.O....`L......yY...N..J]....T..~_|.Bh..p.w%0.H.%D...p..RM`..e....TJk..(..\.%......4..N.<..^..k/_..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):27696
                                                                                                                                                                                                                                      Entropy (8bit):6.448893455648887
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:TndoS4jOhWCHDIJNQnt96+aTkdMEdcG7UhZPWU1Nyb8E9VF6IYinAM+oC8Z1KTm:Td0SkSeIUhrREpYinAMxCm
                                                                                                                                                                                                                                      MD5:797C9554EC56FD72EBB3F6F6BEF67FB5
                                                                                                                                                                                                                                      SHA1:40AF8F7E72222BA9EC2EA2DD1E42FF51DC2EB1BB
                                                                                                                                                                                                                                      SHA-256:7138B6BEDA7A3F640871E232D93B4307065AB3CD9CFAC1BD7964A6BEC9E60F49
                                                                                                                                                                                                                                      SHA-512:4F461A8A25DA59F47CED0C0DBF59318DDB30C21758037E22BBAA3B03D08FF769BFD1BFC7F43F0E020DF8AE4668355AB4B9E42950DCA25435C2DD3E9A341C4A08
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O............"...0..8...........V... ...`....@.. ....................................`..................................V..O....`..P............D..0(...........U..8............................................ ............... ..H............text....6... ...8.................. ..`.rsrc...P....`.......:..............@..@.reloc...............B..............@..B.................V......H.......t-..x(......2.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. .... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*.rW..p*.r...p*F.(....r...p( ...*.r...p*.r...p*..(....*.rM..p*.r...p

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):542
                                                                                                                                                                                                                                      Entropy (8bit):5.041389931890446
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:MMHdGGsVZrdSJ9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdArdEtPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                      MD5:547C772B1DEA0A1E8030F6ED5BE2AF75
                                                                                                                                                                                                                                      SHA1:6F4A95B2EA3342D7B4D61C715C7FC076EB6A2DC0
                                                                                                                                                                                                                                      SHA-256:C35A8B8AF7ECCB9BA68B129FF7F46EB1279229D637049F40761A697E9DFCD5A4
                                                                                                                                                                                                                                      SHA-512:0F77B35AC34C8E4655F7F1F4EBF1A86AA11F96C689E632DA8BE8A17CC69A9292878E0058DD9EA5FF7315DCDD8B34489F06E6DCBB365569E3BB80E81373792FC0
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.ini

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):13
                                                                                                                                                                                                                                      Entropy (8bit):3.5465935642949384
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:WhUv:Wm
                                                                                                                                                                                                                                      MD5:27AD88A291FC97D97FD773334DE4E487
                                                                                                                                                                                                                                      SHA1:04B5DB46F05E02E2EC94B8A0A3447EA41FA4089D
                                                                                                                                                                                                                                      SHA-256:4E7F8923223CB32E5D376EBC0C5361DD97DB201848590C4877D586723142B49F
                                                                                                                                                                                                                                      SHA-512:5B21A87E19D4E3D7A14DC05C815B8D06500695360AAD1F54D2D3713CF05F646E9E7D559551BFE2CC2CDEBCE29A1991BC80AB2B11DDF79A4033897B34DCA40521
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:version=17.14

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):93232
                                                                                                                                                                                                                                      Entropy (8bit):6.196023578677744
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:5Svbne0Q41qJ3n8JMW+0KcBLQhZV5M+5Nn0komH7yAfRS7Hxh:5S8UMW+BV5M+5Nn0kom/RSz
                                                                                                                                                                                                                                      MD5:BD539D820C8163E9E86E59B99ADEDD22
                                                                                                                                                                                                                                      SHA1:FF367525BA06F8B9E611A82CFD57411BA4FBD1FE
                                                                                                                                                                                                                                      SHA-256:04C547E06CA956DB2B929CC2B6B695A649FF0F82C52E56F2677A887E7D9616DE
                                                                                                                                                                                                                                      SHA-512:FEBB46D70A5466C85087BD4E42FBA81682CF398739F7EFEF43982C830CCFD6FCEC4613F0B5542951A463161C891EE9F378CD4D2B15B1659DCBC0E15A34BA677F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.........." ..0..:..........^X... ...`....... ...............................F....`..................................X..O....`..8............D..0(...........V............................................... ............... ..H............text...d8... ...:.................. ..`.rsrc...8....`.......<..............@..@.reloc...............B..............@..B................@X......H.......|f..X............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tM...r...p((..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):710192
                                                                                                                                                                                                                                      Entropy (8bit):5.960415778826794
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:fBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUs:fBA/ZTvQD0XY0AJBSjRlXP36RMGx
                                                                                                                                                                                                                                      MD5:3DDA2732842FCAEEA0477F18D85CB584
                                                                                                                                                                                                                                      SHA1:D70016DF3F407CFE1BE6ACF63CC80A2B40F8212B
                                                                                                                                                                                                                                      SHA-256:EF3F8313AD94CFB9C2E8C95B54433F112918A0542C341763B19C0B2C6914A71D
                                                                                                                                                                                                                                      SHA-512:3403842EA1DF9F314EFF6E78F36F215A4E371B01B1C83345B7745737FABB092BDCFE63F78A29FB5FAD14825DA1C7AC286CC8BCA02B0FC3056620FE268D4FE6F9
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......Ee....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller.zip

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):833993
                                                                                                                                                                                                                                      Entropy (8bit):7.999644881255343
                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                      SSDEEP:24576:peRqTiLR3omp/AAzr5nxL2CP+sZ4tgMfQo:p8nLR4WYA72CPPoKo
                                                                                                                                                                                                                                      MD5:9B1F97A41BFB95F148868B49460D9D04
                                                                                                                                                                                                                                      SHA1:768031D5E877E347A249DFDEAB7C725DF941324B
                                                                                                                                                                                                                                      SHA-256:09491858D849212847E4718D6CC8F2B1BC3CAA671CEB165CF522290B960262E4
                                                                                                                                                                                                                                      SHA-512:9C8929A78CB459F519ACE48DB494D710EFD588A19A7DBEA84F46D02563CC9615DB8AA78A020F08ECA6FA2B99473D15C8192A513B4DF8073AEF595040D8962AE4
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:PK..-.....;9rX.9..........9...AgentPackageInternalPoller/AgentPackageInternalPoller.exe....0Z.......U........ee..Th8.............t.v.g....g......M.........c..K.`|.'1.W.g.;.W+.e.....D.."|...]-:.To.:.`B(.E{.T.?..z...&.....g.....1.,km8.....Y......WZm;..!.....k.....iA...~.zK..EW'.....p.A....Q6.~S......A.......6....h=C3N0y.$i....M...N....C......I.....UCp.p....x..WQ!.p..>.'N%.2Z.l.R8./...%Ew..T..yy.....q...U.nqH......".......n.6M..P.:t...t1..r...!9Z.N.X.s8.3.9V.a...m8....LpWS..O.8..R6..O.l....e|(..F...Og.h.0..,..Z.H....Rl..L.N.9.\...."4..%..A.<."..Iy...:..GBw_1......3.y.p...a...*...l..._.FI.Z.....+.L.....]Y.K|RM.Pf..in.........93+2.QMH.t......<...3.. ....2..!....t..)).I\.qw1.'..J...J3".K'rt.h.f+.I.7...q.MK......V.._!Q.].w..au.[.brv.T&..Lfm./..J.$.m...... t.u..uQ...L...\...M.Ihp.rG.J..C".....d.....;z..d....L.p.r.c7....q[2.e.........!(....Ld.....M..9...M....>EN&dY.]....>QUJ..N.+d.cr..].D.o.........?o.~@....@..D[...5.C.eP.a.....;..:.._v.....R

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):219696
                                                                                                                                                                                                                                      Entropy (8bit):5.943430076853408
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:It3Mf3ZwYUPEpbPwygJQetg0+BpU3I0toxhGf:2MfJPpjYN8hI
                                                                                                                                                                                                                                      MD5:01807774F043028EC29982A62FA75941
                                                                                                                                                                                                                                      SHA1:AFC25CF6A7A90F908C0A77F2519744F75B3140D4
                                                                                                                                                                                                                                      SHA-256:9D4727352BF6D1CCA9CBA16953EBD1BE360B9DF570FD7BA022172780179C251E
                                                                                                                                                                                                                                      SHA-512:33BD2B21DB275DC8411DA6A1C78EFFA6F43B34AFD2F57959E2931AA966EDEA46C78D7B11729955879889CBE8B81A8E3FB9D3F7E4988E3B7F309CBD1037E0DC02
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{..e.........."...0..&..........:D... ...`....@.. ..............................h)....`..................................C..O....`..d............2..0(...........B............................................... ............... ..H............text....$... ...&.................. ..`.rsrc...d....`.......(..............@..@.reloc...............0..............@..B.................D......H........@..$.......f.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ...x )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*..{ ...*..{!...*r.(......}......} .....}!...*..0..Y........u........L.,G(.....{.....{....o....,/(.....{ ....{ ...o....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):541
                                                                                                                                                                                                                                      Entropy (8bit):5.097123194334321
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                      MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                                                                                                                                                      SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                                                                                                                                                      SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                                                                                                                                                      SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.ini

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):12
                                                                                                                                                                                                                                      Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:WhXWp:WBc
                                                                                                                                                                                                                                      MD5:DFDD2EB77BBB74518BAD98519A857D41
                                                                                                                                                                                                                                      SHA1:5F4F91D73EA620CDF0E5AC458E80B71412B1BB9F
                                                                                                                                                                                                                                      SHA-256:7655078305CC5B4F62569EF9868E1B04FCC491D33FDAD1F8E4610C038BCBAC8D
                                                                                                                                                                                                                                      SHA-512:481CDA97C03294EBAB036F99727828983C8D0E4C137AF05FDEA7FD296D11378904BACCE2D58D44F932A0BF7F2A30A9B44F4CBC05E253F132B1EF641F648C8DF0
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:version=23.8

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):52272
                                                                                                                                                                                                                                      Entropy (8bit):6.300719339270839
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:5i8fXCGsSVh/2ixXxKFArYCJdshn9xvlOaEpYinAMxCuMr:5FaM2gS1y2F9Ob7HxCr
                                                                                                                                                                                                                                      MD5:9467F653980C1C37E4C64811BA27C976
                                                                                                                                                                                                                                      SHA1:68130FABBB50EAF5CFE2C355BA13B303DD373FB6
                                                                                                                                                                                                                                      SHA-256:821847799A2B7B3A6EC20BA61388AC87707D9C6865BD904A44DE5B033BD2EF29
                                                                                                                                                                                                                                      SHA-512:E72B7802256053589D889B2B7E74A2B53F328289A12CC0D4930D66410D00585C67B2C434512473CD2E74C8F2CB7685C2C34FCFC3DBA4A52399532CEB04153597
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ..............................t.....`.................................2...O.......................0(..........@...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................f.......H...........x.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{ ...*"..} ...*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):96816
                                                                                                                                                                                                                                      Entropy (8bit):6.1801131806578455
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:hJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxwx:hQUm2H5KTfOLgxFJjE50vksVUfPvCI
                                                                                                                                                                                                                                      MD5:F1B2303DD7E152BA70F3537EDB2E9638
                                                                                                                                                                                                                                      SHA1:7E359D4B9011449DABB7F8236F14851A346B5028
                                                                                                                                                                                                                                      SHA-256:8EE8B304339B6F87E79B117F605375AFFFCBABA290A1B41BB6B3C1A40E46767C
                                                                                                                                                                                                                                      SHA-512:A4DD48F1AFF528DADF9974ADA1740CE785823FB584F55191D008158FCFB11F9ADAD8EFF992B8FF761058706C1717E28FBC9C337CF39D4EE4FFAA529501CB3188
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................l.....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LastSyncDevicesTime.txt

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):19
                                                                                                                                                                                                                                      Entropy (8bit):3.0503018554349826
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:IKXXQu7un:IKHB7un
                                                                                                                                                                                                                                      MD5:BFAA948C6566E264736ED350D2E44A7E
                                                                                                                                                                                                                                      SHA1:33F7D0A8AFC80D2193E18EA1CBF13D7B4508BD37
                                                                                                                                                                                                                                      SHA-256:21E659881C9AD3ECC980406EEF47DF0947AAEF474C5A392C7C27F0EE2C3BAFE1
                                                                                                                                                                                                                                      SHA-512:9D6551E02E20C8B28EEC031DBAAC6976E6104E0E2C49385F830DCBF07C9903651B54C22695C3FBD240BD48896E1458A14EBA8EF888682DA0AAFD463916D1EEFB
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:14/01/2025 13:35:13

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):499760
                                                                                                                                                                                                                                      Entropy (8bit):6.056862695710082
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:HXv781Hpx+GfCdLr/jd9yyeEAHweiPofdyz7qd352SW8CdykAfqO:/76BfC5avfdyvc2SN
                                                                                                                                                                                                                                      MD5:3CE7E73DB6F575A0D382DDAA8E1A3C10
                                                                                                                                                                                                                                      SHA1:031C13652C540CA7F798D141D7C3333FB1C71618
                                                                                                                                                                                                                                      SHA-256:692185C37DB7505250E58CC55D6707FCB099315A7FF319A9CC92FD99C5F0EEA7
                                                                                                                                                                                                                                      SHA-512:5270E772613864BD223F31F89CFA500E56E7863967C58C503F92E193AF8C8CAF934B7755868EC21585A38E8D6D186A2DC5528A805A62A0BFA56B59E6506BFF81
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,..........." ..0..p............... ........... ....................................`.................................?...O....................x..0(..........t...T............................................ ............... ..H............text....n... ...p.................. ..`.rsrc................r..............@..@.reloc...............v..............@..B................s.......H.......(d...(...........................................................{J...*..{K...*V.(L.....}J.....}K...*...0..A........u;.......4.,/(M....{J....{J...oN...,.(O....{K....{K...oP...*.*.*. 8..z )UU.Z(M....{J...oQ...X )UU.Z(O....{K...oR...X*...0..b........r...p......%..{J......%q>....>...-.&.+...>...oS....%..{K......%q?....?...-.&.+...?...oS....(T...*2.(U...oV...*..-.rE..psW...z.(U....oX...oV...*:...(....(Y...*:...(....(Y...*N..{Z....o...+(Y...*z.{[....{Z....{\....s]...(^...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):710192
                                                                                                                                                                                                                                      Entropy (8bit):5.960733432365752
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:bBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUk:bBjk38WuBcAbwoA/BkjSHXP36RMGt
                                                                                                                                                                                                                                      MD5:2A9525F27730CBF9E7145AADE4CDA830
                                                                                                                                                                                                                                      SHA1:A6A99E02599656DE1C7F51B02C84BBA8AAE0346D
                                                                                                                                                                                                                                      SHA-256:29D0073080509DB7F3F20C47980A1347CC4139C5F2E26C9C160AE67CE5EECB6E
                                                                                                                                                                                                                                      SHA-512:DDDEEC7AA9D3F9E6187718564AE1A447FCAB12EC2DCBD26EDD87217B4815C274A6BAF90A027766FCC94815C762ED9BFA8D0DEF6C1B2F84279DED9C66852D381E
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ...... .....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):277040
                                                                                                                                                                                                                                      Entropy (8bit):6.190626027944278
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:rSOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRYA:suQlBAMW0BvltxZ6B
                                                                                                                                                                                                                                      MD5:4ECF017FD71CC84A4CBAB7507B8634BE
                                                                                                                                                                                                                                      SHA1:2343F37490F9A11F5F0878A1553F0FAF504FE062
                                                                                                                                                                                                                                      SHA-256:871D9403D045F94FC433907E49B68894764FCAF81E12FBDE2AC7A08642DDA32C
                                                                                                                                                                                                                                      SHA-512:5FCB9BDA9C857BA1AD2EC0B19AD109AC54BAC91B8F8F00968560623C8AFD01FAEE1078F7C76010C7526A37C46EE0DB74A0E0DB151186F8FB220105F7091FA69B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ..............................>.....@..................................&..O....@..L...............0(...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):149552
                                                                                                                                                                                                                                      Entropy (8bit):6.059724018456156
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:o/S+nps5/3oat9QrwQmUgs0giOBDQntBBGBBKBUkBBXBBgBBFBUABU1BB0BBBBgB:o/S+nps5/3f9Qrdd5EtBBGBBKBUkBBXh
                                                                                                                                                                                                                                      MD5:2FF31980FD256EF1B1E143D4699BB727
                                                                                                                                                                                                                                      SHA1:608A21DA2B243E63DAD9E36EE84BC38C921F8E77
                                                                                                                                                                                                                                      SHA-256:F34AD6FB7847A85ADBE1492C783233A8A32BB5E96972FA3738538CE20513F682
                                                                                                                                                                                                                                      SHA-512:2FEF83A7668D190297863592FBBC8E766042067138C3A163771CDCF1FB284BC8162EA6B7B958CB076B6AB654216B855324AE292F78931C47EDC33B52376943AD
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.R..........." ..0..............3... ...@....... ...............................5....`..................................2..O....@............... ..0(...`.......1..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H.......H....1..................81.......................................0..S........-.r...ps!...zs".....o#.....g...%.. .o$......+......(%...,...o&.....X....i2..o'...*..0...........-.r...ps!...zs".....s(.....~o...%-.&~n.........s)...%.o...(...+o+....+X.o,.....(-...-.r...pr...ps....z..o/...&.o0....3(.o1... ....(2.....(3...,....o&.....o4....o5...-....,..o6.....o0...,.rK..pr...ps....z.o'...*.......F.d.......z.-.r...ps!...z.(7....-. o8...*..0..U........-.r...ps!...zs9........+ ..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):27184
                                                                                                                                                                                                                                      Entropy (8bit):6.334370226233819
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:Bn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCw:BnvXYcIh6yFIFBYpc47Hxn
                                                                                                                                                                                                                                      MD5:A964D6B5F323E343E884A1E4EBBA21A3
                                                                                                                                                                                                                                      SHA1:41FEA32C2FCC56070CF904AB441019F963C83ED5
                                                                                                                                                                                                                                      SHA-256:0214D2C78CC1DBE92853305FA12119BBE09EA06B5EB9C4B4E7AD76B6FAF232ED
                                                                                                                                                                                                                                      SHA-512:3E93C094D3B9D77BAE9C1725B452743FDFA0A20EB07FFC50EA861C501821710A2C29197CF43DCEC1BF089A5BC9B8F2BF57F9FD0EC8D9805D00E32538D03CD46C
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):73264
                                                                                                                                                                                                                                      Entropy (8bit):5.955083228632948
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:R784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRX:R7N1r9KGI04CCARLX
                                                                                                                                                                                                                                      MD5:FA432B69828C0F175E44B367AF91ED2D
                                                                                                                                                                                                                                      SHA1:C0E72D5C64E9B560311EBD1EC3A35CED46386C78
                                                                                                                                                                                                                                      SHA-256:6718AFA55EF89805B69360C9E88347A39CC302AB3C16590E78136C20DB025613
                                                                                                                                                                                                                                      SHA-512:E0C54D9126C557C24013486A31D5477EFF2B800ADAE472C3103EE1F1CD527546E6DCEFB19D5DCE602AEE6DA7A0290F413CE2C6C09DF28D4333C4E62510FE2064
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\log.txt

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):639
                                                                                                                                                                                                                                      Entropy (8bit):4.823865709907384
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:I6dMIytXE7RdMIy6XEOMrDkRdG4ECuZDDHGhzrQgGHdeGWc9r6GHduovGWnur6Gy:mtX9Wg4EhmhPQbj158LF58LSb8n
                                                                                                                                                                                                                                      MD5:346B8E108F98035DA96B6F8D5B82522A
                                                                                                                                                                                                                                      SHA1:6144845032EB3DAF0BBB8986CCF7226B8D89712F
                                                                                                                                                                                                                                      SHA-256:7D27BA9377874B05C4722405C6ED1893E266836018B6B6BD3B3EE8B3044D9015
                                                                                                                                                                                                                                      SHA-512:85E0704C7F79ABC9A2513A20A6248FB43617619F156CA173DB4EF7B7823F2A045F373132C7825D06F45427CEA459075AF0896B58C6CF206E18CAAFAEFA70C3FB
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:14/01/2025 13:35:10 In Program static constructor, before instantiating _logger14/01/2025 13:35:10 In Program static constructor, after instantiating _logger without using _logger14/01/2025 13:35:10 Starting Main(), logging without using _logger..14/01/2025 01:35:10.734 pm: Info: Before PollAll() call written at: 14/01/2025 13:35:10..14/01/2025 01:35:13.656 pm: Info: In PollAll() before Poller.PollAll(false) written at: 14/01/2025 13:35:13..14/01/2025 01:35:13.671 pm: Info: In PollAll() after Poller.PollAll(false) written at: 14/01/2025 13:35:13..14/01/2025 01:35:13.671 pm: Info: After PollAll() call written at: 14/01/2025 13:35:13

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace.zip

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1246506
                                                                                                                                                                                                                                      Entropy (8bit):7.999702247108497
                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                      SSDEEP:24576:Ony3ipTOpSfZauTZ0OH58yGrxiVj3WqHvYfUmanGGJFE:OnaSOpGoud0OHGliZWqH3bn/E
                                                                                                                                                                                                                                      MD5:E74D2A16DA1DDB7F9C54F72B8A25897C
                                                                                                                                                                                                                                      SHA1:32379AF2DC1C1CB998DC81270B7D6BE054F7C1A0
                                                                                                                                                                                                                                      SHA-256:A0C2F9479B5E3DA9D7A213EBC59F1DD983881F4FC47A646FFC0A191E07966F46
                                                                                                                                                                                                                                      SHA-512:52B8DE90DC9CA41388EDC9AE637D5B4CE5C872538C87CC3E7D45EDCF8EFF78B0F5743AB4927490ABDA1CFF38F2A19983B7CCC0FE3F854B0EACCA9C9CE28EDA75
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:PK..-.....=O(Y..>.........3...AgentPackageMarketplace/AgentPackageMarketplace.exe....0.......>N......V.^.'....l....f.u*-Dl._.>.u.S.Pl-6.;...].#.S.X..7./...."...Z.....M.$`.,..{....v...B.Q.M7.j4.'.C.G`<s.X.%.....,...<bdR....N....!.$J@.k...55....>1..(P&..-.#p.NwuV=Wb...a....-....q.!.s.LH..(...:..#7...L.7.$6.C.uy....&I.r..e...,w0o.....`.....[.{cg=]..IBiQq.`.X.D.h.......G./..NA.....46....w.....b9rp.J.C*.2.F.....G...~..q.x....u......l..I..b..z..w..v.d!./..U.Y^..J..k<kUo:.n:.W......g$..<.X.>....rQ.5JiJ.+..|.p......C......o/...K......T.....+9..z.."..Yd.f..&.B..QWu.-.@...c4.T.^...#.E...v...B..\.x0..{..."|.a.?.y.......-..W.........8nk.).$sf.2].c>...`....=...0..$.bp...Oh....8x.-.%N/...w.........i....a.QX0.k..k..f..D.vl.f.Q..3....]....$.4..k..y.../...'...a..C.x...@..".8....9...;..&j..G#f......).....l......Y..7.c....PJ...X...^)s[...{.......Jr.Q..+....N.F.I...%OS...=.......5......i....h..(....r..T-ir.=.+.'..'.......r...[..J...l.P....[.q...,.To..h.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):37936
                                                                                                                                                                                                                                      Entropy (8bit):6.42035670242574
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:GlK72yzFcoUzzxYeHTxwx6/ufD/EpYinAMxCoG:3e9YeHVwYe47Hx6
                                                                                                                                                                                                                                      MD5:EFB4712C8713CB05EB7FE7D87A83A55A
                                                                                                                                                                                                                                      SHA1:C94D106BBA77AECF88540807DA89349B50EA5AE7
                                                                                                                                                                                                                                      SHA-256:30271D8A49C2547AB63A80BC170F42E9F240CF359A844B10BC91340444678E75
                                                                                                                                                                                                                                      SHA-512:3594955AD79A07F75C697229B0DE30C60C2C7372B5A94186A705159A25D2E233E398B9E2DC846B8B47E295DCDDD1765A8287B13456C0A3B3C4E296409A428EF8
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!............."...0..`............... ........@.. ..............................P.....`.................................Q...O....................l..0(...........~..8............................................ ............... ..H............text...._... ...`.................. ..`.rsrc................b..............@..@.reloc...............j..............@..B........................H....... 5...I...........................................................0..H........(......}......}......~D...%-.&~C.....j...s....%.D...(...+}.......}....*.0.._........{....-.r...ps....z.{....o.....i./2.{....r+..pr...p.{....o....(....(....o.............{....o........:...%.. ..o...........i.0..+......{.....o....-2.{....r...pr...p.{....o....(....(....o............{.....o.....o....o .....-.....ws....%.{....o!...o"...%.{....o#...o$...%.o.......E...{....%-.&.+.(....%-.&.+..(...+

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1295
                                                                                                                                                                                                                                      Entropy (8bit):5.018953579697613
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:JdArdEtPF7NhOXrRH2/BLVv+13vH2/nVQ7uH2/FV0PH2/+w39y:3Ar+z7O7Rgdp+1/gnSagFsg+w3w
                                                                                                                                                                                                                                      MD5:843D2196B96E53ABCAE6F4C243D1A7A6
                                                                                                                                                                                                                                      SHA1:EB28441616660FD53653999595A3309961AA9A54
                                                                                                                                                                                                                                      SHA-256:175C1EBF4B5C56563944E65C9E8AE4595730155D69854499DB638E82E16DF056
                                                                                                                                                                                                                                      SHA-512:2C24DA122963E1BF533FD8A5C841C9BCD86442E0E49D3BE379FBB21AA607FDC6C7D30BA5573615416D55538429652BF1108D88EC8267FDC5D8C8F9ECAF11D0A1
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-12.0.0.0" newVersion="12.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.ini

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):11
                                                                                                                                                                                                                                      Entropy (8bit):3.459431618637298
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:WhUnn:Wu
                                                                                                                                                                                                                                      MD5:5EDA46A55C61B07029E7202F8CF1781C
                                                                                                                                                                                                                                      SHA1:862EE76FC1E20A9CC7BC1920309AA67DE42F22D0
                                                                                                                                                                                                                                      SHA-256:12BF7EB46CB4CB90FAE054C798B8FD527F42A5EFC8D7833BB4F68414E2383442
                                                                                                                                                                                                                                      SHA-512:4CF17D20064BE9475E45D5F46B4A3400CDB8180E5E375ECAC8145D18B34C8FCA24432A06AEEC937F5BEDC7C176F4EE29F4978530BE20EDBD7FED38966FE989D6
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:version=1.6

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):102448
                                                                                                                                                                                                                                      Entropy (8bit):6.190700491174632
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:hPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87HxBg:h2bYbYSWd85I5sSakFQhHL8/g
                                                                                                                                                                                                                                      MD5:266A4736FE6DFEADBC40C66AF39D3871
                                                                                                                                                                                                                                      SHA1:D090E63810691F78F760E55640B81958BC715183
                                                                                                                                                                                                                                      SHA-256:4D6091013BF285AF05D901BA130E86D8CEFDB4E387540C3814929C1277C2DDF8
                                                                                                                                                                                                                                      SHA-512:AB43966CEFC08A8FE9B7A1787948F55A73B243CA6DE7259FD42E5BD4ABAE61D562C9642770708BA38AB6118D3755741529ED51E7DB2A8A811BE8B876F2922A8B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ....................................`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):95280
                                                                                                                                                                                                                                      Entropy (8bit):5.998846079851237
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:GiLY8I1pq2jBTn9kbf0KNGVIYMcoS1JkEX5g7Hxlv:LZ0PMcjrgv
                                                                                                                                                                                                                                      MD5:C6339BD38794C9EB831004955DE64D16
                                                                                                                                                                                                                                      SHA1:EAE04876F94347538735F853B7F14778CB75180F
                                                                                                                                                                                                                                      SHA-256:855D0323807390D8F499355D0030685FBD6DC6939218A15059CB3E9C744AB1A4
                                                                                                                                                                                                                                      SHA-512:F62F76F305285F1C206AEFB8418E48BD2074DEC768C16986353305F34D17524E9A9AEA29AAE11B0D927247161F21039933B3EA68F2BC7F40623B471E123B33F7
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..B..........R`... ........... ...............................+....`.................................._..O....................L..0(..........(_..8............................................ ............... ..H............text...X@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................3`......H........h................................................................(......}......}.......}.......}........o=...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po!...o....*..{....o0...r...p.(....(....o&...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):51760
                                                                                                                                                                                                                                      Entropy (8bit):6.408406581403349
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:hQMnMYnUFMSptE7C+t2RO3neZN8752vwzE8Kku6ZFMLcyMmEpYinAMxCl5E:h9MYn1seLE8JFMLcyMH7Hx+E
                                                                                                                                                                                                                                      MD5:7F8418A330DA75F653CC1A50F0B91175
                                                                                                                                                                                                                                      SHA1:7448DCCCDB8FBB1CC827FFE4861C7BD529EE85F5
                                                                                                                                                                                                                                      SHA-256:BF780EB84424039CAB84C818D21A402369EC1BDC9136E1CDBB60486343A07723
                                                                                                                                                                                                                                      SHA-512:3CAC7066B3F210D826383CA000CDC581C0CA193800C97F2F34C6139BB4880A12A485604344EF22BADFD4609F2A0E7645E81DECFA8C5BF8C6DF4406BFEE6DBFDA
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ........... ....................................`.....................................O.......4...............0(..........4...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................R.......H.......XE...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):354352
                                                                                                                                                                                                                                      Entropy (8bit):6.1536791121281995
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:4r/iEF3zTxesPlx5zIAUH+2n8G4smIkuxhnCq7a/ZmvYyD:4hpp9xxIBeXGfvYyD
                                                                                                                                                                                                                                      MD5:697D8BC281B58B1FCEEC721B9BC01059
                                                                                                                                                                                                                                      SHA1:DA468B41FDADE096896B6835645DEFF110F438F5
                                                                                                                                                                                                                                      SHA-256:82C4EFE948B812C844DE4950130C292CDC49EDA42F447E17DE6CC451A1F5135E
                                                                                                                                                                                                                                      SHA-512:95877A2E690E083B256F71E376BE757FA0D329A6AAEC193461D325C63867BCE9E72A648EDB17A8817198C5224853541C65F664A6FFB966AE35D9E558F681EF46
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.Y..........." ..0..8..........nW... ...`....... ...................................`..................................W..O....`...............@..0(..........HV..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................OW......H.......`...ht...................U........................................{*...*..{+...*V.(,.....}*.....}+...*...0..;........u......,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*. S]G. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*.0...........r...p......%..{*....................-.q.............-.&.+.......o3....%..{+....................-.q.............-.&.+.......o3....(4...*..{5...*..{6...*..{7...*..{8...*..(,.....}5.....}6.....}7......}8...*....0..k........u......,_(-

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):883760
                                                                                                                                                                                                                                      Entropy (8bit):6.071511091364285
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24576:m1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQ0:m1n1p9LdRN39aQZUq1
                                                                                                                                                                                                                                      MD5:1A5AE803BFFDEBA6B4D9825233D1C23C
                                                                                                                                                                                                                                      SHA1:E324D9B2F417F46FE3364658429B620BC5942322
                                                                                                                                                                                                                                      SHA-256:2BED7E5890D572E41770C422C25CF11F0D3C2D170C5F38F8EB1535E1A3E614C6
                                                                                                                                                                                                                                      SHA-512:D8DCB1E227AD001A2F43C9847E0A22D43DBE7021814AB88DBD168092A3C172D17CB69848F743166E755DB771B55025664C0E53580B9E48252B1581AD281E332A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ...............................q....`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):702512
                                                                                                                                                                                                                                      Entropy (8bit):5.943194897994663
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:3f9WGsSVSM2mxL2nRiOr8gUckc6V/g2GhBzj05cH3:vXNL2PVh6B+BzjmcX
                                                                                                                                                                                                                                      MD5:F78DB2C6B247E0FFC215A44AE88178D8
                                                                                                                                                                                                                                      SHA1:12FB14AE1CF731115F07076AD939A2ACC57A9920
                                                                                                                                                                                                                                      SHA-256:1DFF434970F52326AA5E0C1164AB76A771A1EE651E37166DF8A3BC3F06204746
                                                                                                                                                                                                                                      SHA-512:AF3F67FA56CA89111E389DE17F9030D979827E8B60AF86E991115B07759D6DADA1B74ED870B5163474192BF58A5FA69EBFB03DFCF087EB88E1E72EC26BB578CB
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0................. ........... ....................................`.....................................O.......................0(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........z..<&..................<.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{[....3...{Z......(....,...{Z...*..{\.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):285744
                                                                                                                                                                                                                                      Entropy (8bit):6.190004154231823
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:uZAWecOmop6I4A9YzsRuBeXirS9/pcRykxxNKKV6S8mSrpsPngH:uZeZ6ANRIru9/pcMkoKV64SrWA
                                                                                                                                                                                                                                      MD5:2CD03F275D3BB90B106632F203DCAF64
                                                                                                                                                                                                                                      SHA1:025C716D6B123FA03DC9F97D4BF77D4AF20B75AE
                                                                                                                                                                                                                                      SHA-256:B90619EBE88644BDA995505BDE5D5E282403E27FF7A55E273CC2FF9ACC88300A
                                                                                                                                                                                                                                      SHA-512:321660D33F6126077D4DC04AFBB341B9D46D07E2B38CF45F1C7B2C8B60A58A3F008390EE6F8B6995BECF4B0EADF66C9263D4BE67C8269F9A0851207650B9632D
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....O..........." ..0..*...........H... ...`....... ....................................`..................................H..O....`..L............4..0(...........G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H.......Hd......................LG......................................^.{....,.(F...z..}.....*^.{....,.(F...z..}.....*"..(K...*"..(L...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):284208
                                                                                                                                                                                                                                      Entropy (8bit):6.117448325022863
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:/ZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xH9:Bgo0WPVTXgd
                                                                                                                                                                                                                                      MD5:BF59A9BBF620C0F06ED79180C868FCE0
                                                                                                                                                                                                                                      SHA1:2E8F9EF7A105A951790344A3B9ADC61DB35ABAAD
                                                                                                                                                                                                                                      SHA-256:CEBDB552DAC9E136F87E37A461B7683934F00AA2A74FBA15BC53ADFA38F1B79E
                                                                                                                                                                                                                                      SHA-512:C472376BD7A0E532CB8FDDA7ADDB00FB973D30F97368460929E8352C16BCB17EA92264C81E1E1E084566172ECE3D1513073D24B01990A808335D0C040039C6D3
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ..............................\.....`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):22064
                                                                                                                                                                                                                                      Entropy (8bit):6.678227546122444
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:Xy/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqq/dW:XuhMaVmzDC67EpYinAMxCwk
                                                                                                                                                                                                                                      MD5:181F16CCEBD4B02ACE42A02CC536ACA9
                                                                                                                                                                                                                                      SHA1:84795DA0255E288C96AC64F1C8150E81E0289FFD
                                                                                                                                                                                                                                      SHA-256:80582DBDE89A6D9906721AD27562C7B2BEDE7048E4D461828D3BA2C4438E58E9
                                                                                                                                                                                                                                      SHA-512:73F93A3F4538FCE421A453B5A90AC662CC58D5A846AFECB8E337F33A1D643A81C8D02F5F3AECAE4CF00828A3103C63614F086E92ABD262317B13CF608784D72A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):51760
                                                                                                                                                                                                                                      Entropy (8bit):6.235108733243218
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:bzpj9H0/bvvmNAkkOMo/23e3vggrkrD9Bxjpm2yuIFLlHTUpa/hDXEpYinAMxCWC:bzpjF0/t043e3vggr83jMYa/hU7HxVJU
                                                                                                                                                                                                                                      MD5:30BD9DF0841299E8FA11340B83A441B0
                                                                                                                                                                                                                                      SHA1:36447785062CB3DFDF9A1E03548EFD348760458F
                                                                                                                                                                                                                                      SHA-256:801BB92AA7A8840148FE548ECE4B7291C0E4FA73712FE2497074C925ECC906B9
                                                                                                                                                                                                                                      SHA-512:830B821EE5BF401A6B95662EE191FC8BF08BF64D4D8BFBDB0E142D303AB241C41C4134883C0851B4D5DAF49F598454CE33595787C7084B4F9504794D9B07E54B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ....................................@.................................X...O.......................0(.......... ................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........J...g..........p...0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):138288
                                                                                                                                                                                                                                      Entropy (8bit):6.179673461309118
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:MP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8Ily:Mh0qjC5RMOHO420kN1Z
                                                                                                                                                                                                                                      MD5:37C069A058DC803C83C43DF6681907DA
                                                                                                                                                                                                                                      SHA1:ED522080452C472560A74F4B979BDC5CFE1643E7
                                                                                                                                                                                                                                      SHA-256:9CD89ED91343ABF19DEF9EE1809AC28765EB3D63E5597583D3D183156D8B3C62
                                                                                                                                                                                                                                      SHA-512:1F38E4153FBFF9C996C3348A325AC3E9B43118D97F5E51B1099D09C61BFC4D772ADE110603D479403317AD76AD42F494E55A58E278F825EFBFA6E1ABEE246929
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......!.....@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):17968
                                                                                                                                                                                                                                      Entropy (8bit):6.674524887219165
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:Hh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBr882HW:Hy9eEpYinAMxCAT2HW
                                                                                                                                                                                                                                      MD5:3D126403FBA7BC6FAC6E6ABF5FCE09E8
                                                                                                                                                                                                                                      SHA1:70B60D649EB174C109C0A6DC873444473D956694
                                                                                                                                                                                                                                      SHA-256:D2B815734C2683E7759DEEA3019FCD2B19F5B879CFA3BA02620619DBCAF73E38
                                                                                                                                                                                                                                      SHA-512:BC0D56E79471051228DB678AC686BE96BEA6697C2376AE28574EDBAD52CF827AE720A7F733B6FE96B2757610771137B6E6A6CF86B787128136D17B232F09569D
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ..............................R.....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):27184
                                                                                                                                                                                                                                      Entropy (8bit):6.335679732582514
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:Qn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCF:QnvXYcIh6yFIFBYpc47HxG
                                                                                                                                                                                                                                      MD5:14C4B9D7E63166E65ECCD9A74A55BC4A
                                                                                                                                                                                                                                      SHA1:C1F849748FBC76EC9BF9BF934135860242CE1928
                                                                                                                                                                                                                                      SHA-256:83BBFBEDA8EFB1745ECDDBEE0FB16ECAE1E6524461FE075B90C700E34C78498F
                                                                                                                                                                                                                                      SHA-512:C2774C72B62148FFFF05B2714F4720D212F52F740812D307D683D66709D77FD06F325A4DB25D952B9B2CCA5A1DD60CEDFCBFB6420FA5CE1A81B9D711395671A1
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):73264
                                                                                                                                                                                                                                      Entropy (8bit):5.95485496879401
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRY:67N1r9KGI04CCARLY
                                                                                                                                                                                                                                      MD5:B742B57BE990E57E0D079CFAF918E086
                                                                                                                                                                                                                                      SHA1:00652CB0AD4ABCE039397AF2308B2D6D251A2B09
                                                                                                                                                                                                                                      SHA-256:8929394DD35DBF2592AAE46E1063D38D782122F2A7F6A0248A754817E4394823
                                                                                                                                                                                                                                      SHA-512:2CD15A7F0626AD3BBA10431AEEFEDE1A195987BA609EC01A51083EEEF11DA516FF4D0678451372106A27A66E013A1012FB00E74CB4F4125C7F451559DE326908
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`......4T....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring.zip

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):3589532
                                                                                                                                                                                                                                      Entropy (8bit):7.9999266027103735
                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                      SSDEEP:98304:YylpVobXLx8h6xRBXbtjPZX622ysoac658SrSOubme:YGh6/h36ZesPu5V
                                                                                                                                                                                                                                      MD5:93E4C198656FC267F392DE11DEE01CD0
                                                                                                                                                                                                                                      SHA1:E92CB59486745EE7564F5B374E790A065E1F4678
                                                                                                                                                                                                                                      SHA-256:88B220F9F9BF25F856DDA714AA1A1AE998720780CD3EC5B968154E03834FA965
                                                                                                                                                                                                                                      SHA-512:3A04A02982DBBBB9D54B6C5674F2F2C10E0CBCE580E3974CD924CC9131CD94AECE71C7B975C9ABAAE82F057C70243FB016D31339E8700C96BD55C434BB98105F
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:PK..-.....ud.YS.W.........1...AgentPackageMonitoring/AgentPackageMonitoring.exe....(6.......~.......6.s+3t..d........e..M...K@./0o...i"Mw..C/....12..O.....a......X.-.D.....L...}{.P...!7....b|..+....L.....8K.N..O..O._..n. ...Db`.pF<.V...d..=!...O...{Cc...I...-....;w<......b....W.=...),0~.*:3./k[.w.7d....f9i.RG.T$_...o.OZ"s...rX<a..Di..;.........K.h...C..!HA.e.....M.B....}.r.p..K.e%....L....4.7..D...r.U+... b.7..sl.`6.>..moH,......h...I(ut.q...8.6..[n......v...i..E.[E.~...v+.>.J....9....0.#~.I.b-R...i/.!..x.3..%oM[L..._.u,..h?....W......n.Q.;D.aa....K_.s.U..)....lF.;..Jw.t..ju.....}o..g[...._....j*..g..l.1..+.x..<9....-d...'.(.p%$...0....;^.f...w~L[@..H....Z.(IkNa..9DR....?.....~.[.:..IR.G....4)..Z.?.;.W?...Q.u.....V.....>7];.`./.R..9q.....XH.G..4.S.G......-t.0.Z.(.~......I@5/c.....b.E..kb.X....9I.B]J....DQ.j.TT.....?#4,.l.Shx.!....w...k].W.b..l{.jR...ep...J....`....%.*"q?.Smo+)".Z.........<.DZ<.m..Pw?|'..i.vJ..)...7y..^.D#...0O|k.{...A.M.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):407080
                                                                                                                                                                                                                                      Entropy (8bit):6.258938058111771
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:hkeEB9gZiG47PijJOcABetwyGRUAvILNqe8R:hETbPgJ9wyGmAvx
                                                                                                                                                                                                                                      MD5:810F893E58861909B134FA72E3BC90CD
                                                                                                                                                                                                                                      SHA1:524977F32836634132D23997B23304574D8D156A
                                                                                                                                                                                                                                      SHA-256:B83B6C1F64B6700D7444586A6214858A1479C58571F5E7BF4F023166C9016733
                                                                                                                                                                                                                                      SHA-512:DB463D34A37403A9248D463AE63989B40A0172D9543BDA922DACB10A624EB603700628A67D9C86DF2605C36D789902EC79228AA29F26C49BE0195C54A9E4A191
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.................. ...@....@.. ...............................D....`.................................:...O....@..(...............((...`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................n.......H........9..p.............................................................{'...*..{(...*..{)...*r.(*.....}'.....}(.....})...*....0..Y........u........L.,G(+....{'....{'...o,...,/(-....{(....{(...o....,.(/....{)....{)...o0...*.*.*....0..K....... bHQ. )UU.Z(+....{'...o1...X )UU.Z(-....{(...o2...X )UU.Z(/....{)...o3...X*..0...........r...p......%..{'......%q.........-.&.+.......o4....%..{(......%q.........-.&.+.......o4....%..{)......%q.........-.&.+.......o4....(5...*..{6...*:.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1459
                                                                                                                                                                                                                                      Entropy (8bit):5.033662307409642
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:2dErdGPF7Nv+13vH2/nVhOXrRH2/d9XF7N0PH2/+w39XF7NQ7uH2/F9y:cErU7h+1/gn27Rgdz7Eg+w3z76agFw
                                                                                                                                                                                                                                      MD5:C6ECF24757926EBA64E674BFF8B747D1
                                                                                                                                                                                                                                      SHA1:3A46083826C20E8E085C42BBFDFEEF4F9E2B90D9
                                                                                                                                                                                                                                      SHA-256:C3EC04142C15B0A237E72CE1C3C85D19CD1231B9824F7A9854E7909A74B7BECC
                                                                                                                                                                                                                                      SHA-512:EFABB9883ADB098A90115E8938C92B76BBB8D2EB5DE170ECFA205EE949A2D722E0F97F6E01F9A71AC8B5FA2108B9FF82FA0171759D50E30D0AB5FC1948BDCE15
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.ini

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):12
                                                                                                                                                                                                                                      Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:WhWan:WD
                                                                                                                                                                                                                                      MD5:A6BD887EE94E12D3C42A5D47B4C73826
                                                                                                                                                                                                                                      SHA1:6B30541A5B528FF8A8BEFDB5CAB0B9DCCF4B2491
                                                                                                                                                                                                                                      SHA-256:643D32F1B400E5CDC5B76067EAC006167C07B321D5ABD06B30F1A45E9FE2253C
                                                                                                                                                                                                                                      SHA-512:EC86B4BEDA8995C13F550CE0F1C60B7BF384F706D37C516A12C6E6D6E0040BC11F72E9AF09117D78B46BB799E9E41F4F6B2E78B84C2CF087AC76A1EB94986171
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:version=38.1

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):102440
                                                                                                                                                                                                                                      Entropy (8bit):6.190271548489902
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:jPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OLv476/:j2bYbYSWd85I5sSakFQhHLv4k
                                                                                                                                                                                                                                      MD5:04574008839C988B1598DF22015A4285
                                                                                                                                                                                                                                      SHA1:9176EE5F15BF855F1A0ED1CAD5F1C33E29841D01
                                                                                                                                                                                                                                      SHA-256:6347791BE389BF6BF83F6A499077CFC874E282B6515B7400F09950C35AE4A5B0
                                                                                                                                                                                                                                      SHA-512:D21C39CA74C2DF27F0969A8E61A0A4B055B9765A3A87E34D05AC17570FC9CC7FB149034FA35F0F7F06231C116E4B61A88372ACD0704A68634E2E35E38797994D
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ...............................I....`.................................`}..O.......8............h..((..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):95272
                                                                                                                                                                                                                                      Entropy (8bit):5.995771579764986
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:x4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkjUB766B:x4auS7S5Ea6WMcpuUB/
                                                                                                                                                                                                                                      MD5:D132E136DB67781D6B7A78531B0890CC
                                                                                                                                                                                                                                      SHA1:9E3CE11B6F880B50338768B88F4E9ACC1BB98EE5
                                                                                                                                                                                                                                      SHA-256:01243BC9656F0F1F49A5A03807A8688408FE8685577351C8FC83A8251AC2603A
                                                                                                                                                                                                                                      SHA-512:9260472A987BDCEAF5AD26B7164D729558EAE606DB80005AF77F576BB05DA350762CF93B92484BEE4607F7AED853308C49C7BB6AB70D6B0D1E9B30549F4951D9
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ..............................[:....`..................................`..O.......4............L..((..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):75304
                                                                                                                                                                                                                                      Entropy (8bit):6.240181778832263
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:8u2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYn:hF+qo7mDEwj4NXLGcfgruFcaD76ji
                                                                                                                                                                                                                                      MD5:1730F5BE3A1F7BDDC6FA6C2C30F9A507
                                                                                                                                                                                                                                      SHA1:5F96A22803ED258D8174650F872A926F16D9F0E8
                                                                                                                                                                                                                                      SHA-256:F300A241B3E7EF97D43ECA324260E2859F3832C386B4D28B97979FC1FDF32218
                                                                                                                                                                                                                                      SHA-512:19AC925A83EDF979BAE65A2BEF7FCC361535168D761C1D7350094501C149D4C3E21F5BF09652990879887553E6FE282F0B7AE5167CFFA208825244462633AE3B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`............`.....................................O.... ..................((...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):51752
                                                                                                                                                                                                                                      Entropy (8bit):6.40663982427702
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:uQMnMYPWMXMwtKsSdj3xn91SPSvwzE8Kku6P3A+wf+bnYEpYi60k4jvB:u9MYPJS/16/E8/3A+++bnh76J4jJ
                                                                                                                                                                                                                                      MD5:6FA53D86A203A8F423D5D7031787D033
                                                                                                                                                                                                                                      SHA1:8C30AFC2B99C8B3DE4FE734AB7AE1755A323B354
                                                                                                                                                                                                                                      SHA-256:11939A9A964A1797C037931B39EBBE608FB9EEEED56DFF5D2429BE81B9395E18
                                                                                                                                                                                                                                      SHA-512:0E0E21777A8AC07CD53A6B6674495DF85723C07B99E43D4DA017D6332A114F54B540EEF0861A495DFB102BB201D4F3D7215A79D197D5F46ADBD75C1025F791A5
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D............." ..0.............b.... ........... ....................................`.....................................O.......4...............((..........$...T............................................ ............... ..H............text...h.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................B.......H.......|E...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):155176
                                                                                                                                                                                                                                      Entropy (8bit):6.246702749443142
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:60feG0EI+t80zE04kjSnY2QJ6lwZaBsEFmWF+YL4T:TP80zukOltwW2
                                                                                                                                                                                                                                      MD5:9DDEEDCF39F32C55A41DD12DC8961631
                                                                                                                                                                                                                                      SHA1:317A6834BC2B7A6E3766C1B655888BDF0C7B8308
                                                                                                                                                                                                                                      SHA-256:775815C4993544294E44EA83B3C242D72E9E99F7D23AF880C02F4FFE4B74BD56
                                                                                                                                                                                                                                      SHA-512:CC685F7F960113573345FC2E7D1760F9B7A12ED76AC9017692D2AB867572F28281D593CA109F159A0C6AE5F0ACCC12C0F539AB1C5BD83CE9E2A3DA4769CDC70E
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%%.W.........." ..0..............M... ...`....... ..............................cO....@.................................lM..O....`...............6..((..........4L............................................... ............... ..H............text....-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............4..............@..B.................M......H.......d....G...........................................................0...........u....,..s....*.........*Z.(....u-...%-.&*o....*..{....*..{....*..{....*..{....*..{....*2.(....._...*2.(....._...*..{....*2.(....._...*...}......}......}.......}.......}.......}.......}....*>.........}....*..{....*...0...........o].....o^...(....%-.&+..o_....(....,...(....o`.....(....oa....(.......(b...,...(.......(c...od...+"(.......(b...,..(.......(c...od....(.......(e...,...(.......(f...og.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):215080
                                                                                                                                                                                                                                      Entropy (8bit):6.0304720380518
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:q1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7sB:VIzm6pOIgvr70
                                                                                                                                                                                                                                      MD5:EC0868979015D516787FCAA7CA0E5F6E
                                                                                                                                                                                                                                      SHA1:3672A54366D82CE28A5F3A25A6281072B45435E9
                                                                                                                                                                                                                                      SHA-256:70B27423EA7A908015D4F8A40E67EF023C8CB422B1E782D90A105BF1981525EF
                                                                                                                                                                                                                                      SHA-512:E05640786DE1E598A49092B2FCC243129717AE1746D894D2FFF0C54AAAFF12BB4204881373D007B69BFC16F91AACB0C5A29A0E79A6A816191CAA209CB420A66C
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ..............................4.....`..................................'..O....@..t............ ..((...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                      File Type:JSON data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2
                                                                                                                                                                                                                                      Entropy (8bit):1.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:H:H
                                                                                                                                                                                                                                      MD5:99914B932BD37A50B983C5E7C90AE93B
                                                                                                                                                                                                                                      SHA1:BF21A9E8FBC5A3846FB05B4FA0859E0917B2202F
                                                                                                                                                                                                                                      SHA-256:44136FA355B3678A1146AD16F7E8649E94FB4FC21FE77E8310C060F61CAAFF8A
                                                                                                                                                                                                                                      SHA-512:27C74670ADB75075FAD058D5CEAF7B20C4E7786C83BAE8A32F626F9782AF34C9A33C2046EF60FD2A7878D378E29FEC851806BBD9A67878F3A9F1CDA4830763FD
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:{}

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):354344
                                                                                                                                                                                                                                      Entropy (8bit):6.153318474143049
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:qr/iEF3zTxesPlx5zIAUH+2n8G4smIkuxhnCq7a/ZmvYl:qhpp9xxIBeXGfvYl
                                                                                                                                                                                                                                      MD5:D423AF5708A85A62D9C2FA2008166E14
                                                                                                                                                                                                                                      SHA1:FA577CBD52F659AACD9E0E06BB38E8ABC77F9120
                                                                                                                                                                                                                                      SHA-256:96A33DBBC0285A0E60E26F72603785CFB3622A0F2018FECFD9DD4C6364D5CBBC
                                                                                                                                                                                                                                      SHA-512:50136E9FB29EF225A5E1BEFA3600A0ED50712E1855EC82D31C69C46914C28A2670F0D04355C9E58397E1AFA486AB7D4FAEAA364B16E8799148C485CC59FCC03B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.Y..........." ..0..8..........nW... ...`....... ....................................`..................................W..O....`...............@..((..........HV..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................OW......H.......`...ht...................U........................................{*...*..{+...*V.(,.....}*.....}+...*...0..;........u......,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*. S]G. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*.0...........r...p......%..{*....................-.q.............-.&.+.......o3....%..{+....................-.q.............-.&.+.......o3....(4...*..{5...*..{6...*..{7...*..{8...*..(,.....}5.....}6.....}7......}8...*....0..k........u......,_(-

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):883752
                                                                                                                                                                                                                                      Entropy (8bit):6.071426082550366
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24576:E1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQB:E1n1p9LdRN39aQZUqI
                                                                                                                                                                                                                                      MD5:758E6813699EE2BC65A6B8AB9DB9878B
                                                                                                                                                                                                                                      SHA1:59F0F0BDA3C83FDCFD11382D7FA7034D3E443403
                                                                                                                                                                                                                                      SHA-256:347085922A13D2C2739ACB9635A46A401C5428E4244720D576317EC252723F92
                                                                                                                                                                                                                                      SHA-512:EC67941EDE60CE6C9E7ADCFFE781D7280597DB5D5D9C1A35B34F9DAFC2B8320C4171FB6018DC5E8186E29A3705C5BB4BF733F61DD0B7332222EE25F669CD43F6
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ...............................[....`..................................c..O....................T..((.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):710184
                                                                                                                                                                                                                                      Entropy (8bit):5.960246410031846
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:jBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU0:jBA/ZTvQD0XY0AJBSjRlXP36RMGB
                                                                                                                                                                                                                                      MD5:1A5E0E8E52E3B61AC8E5A022E3C6458B
                                                                                                                                                                                                                                      SHA1:4B8F323732FF25E88DAAE46D0D6CD61B90377E2C
                                                                                                                                                                                                                                      SHA-256:618483C9308B8DF3DD5EE1965A7CBB419DEA32369E0636466DF7FA44AD449668
                                                                                                                                                                                                                                      SHA-512:058F32E1847101A8EB2CDF1A1659214864C776BBE788236C576A94357E262616C755DFE614C2FDC9EE23C38C52E1A77F2EF80DF5B3FEAA954F98C9A2D48D6A4F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......s.....`.....................................O.......................((.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):293416
                                                                                                                                                                                                                                      Entropy (8bit):6.121265926720703
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:2dmT7N9hXNx16L/kakZieD2C6gVkRYKn6nUa9K+yw:2dc7N/WkQHr64w
                                                                                                                                                                                                                                      MD5:3E5ECBD39476F63D84738E0E1C20E168
                                                                                                                                                                                                                                      SHA1:BBD02BD728AC561DEC02CD22C3FF2CB88365BCEA
                                                                                                                                                                                                                                      SHA-256:16A9D6DEE7B4A1100F50D76992D6C8D3846F64A04C1B944AA6C2EE59AD1291F6
                                                                                                                                                                                                                                      SHA-512:9B87988DFC0C78FE2EB5F232E873D49C2F4A3A5F13CC1237CBC1EE16881462352DC0537D3478CE7FED4A43AE3F23FC3559D05A7BC4597B660F73A2A8DD736499
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.d.........." ..0..H..........rb... ........... ..............................xR....`................................. b..O.......$............R..((........................................................... ............... ..H............text....F... ...H.................. ..`.rsrc...$............J..............@..@.reloc...............P..............@..B................Tb......H.......\....V...........................................................0...........(......o......e...%.r...p.s....}......}......}.......}......{......e...%.r...p.s....o....r...po.... ....(.....|....(....-.."....}......{......e...%.r!..p.s....o........(....(....o.....(......(....-...}....*..}....*..{....*..{....*..0..a........{......W..}.....{....,..{.....o.....{.....{......e...%.r!..p.s....o.....{.......(....(....o....*..{....*....0..Z........{......P..}.....{....,..{.....o

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):277032
                                                                                                                                                                                                                                      Entropy (8bit):6.190377243156036
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:hSOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRlS0:uuQlBAMW0BvltxZ6R
                                                                                                                                                                                                                                      MD5:3BE6CB23581238117B1165B3C7A1E80B
                                                                                                                                                                                                                                      SHA1:ED0AD7C0B685D2ABACEBAC4323CE8CDC5B8029AB
                                                                                                                                                                                                                                      SHA-256:478BFDAD9699E288674A9921CB031DA4B07266FA0F3F43BACAC95184F5B269D5
                                                                                                                                                                                                                                      SHA-512:319720F8DCD45435171CF797C733CF07253F663E8873E7A94B32E6C0D027A9933DE24EBEFF00089540CC98D3DBB2892C8EB53648C641E369A1219A7B8C28577F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ....................................@..................................&..O....@..L...............((...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):284200
                                                                                                                                                                                                                                      Entropy (8bit):6.116831406251441
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:cZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHjv:qgo0WPVTXgL
                                                                                                                                                                                                                                      MD5:ACFE625DD1F6644017E798111D264831
                                                                                                                                                                                                                                      SHA1:B2C13E82682293BCE4463D3D2490D021EA0C0859
                                                                                                                                                                                                                                      SHA-256:33F8EA1196916DCE0674793E125F89247AC54168425C5FBF0B4F298145F80BB5
                                                                                                                                                                                                                                      SHA-512:C2EF0A0479705C99F72EF40B21A14075F98BFCD65569467D44B98DF1BCFA1898EC47957F182FCB8F03C80ED396486B06A01920315C1614CCD96CDB080DD8A9C8
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ..............................j.....`..................................B..O....`..D...............((...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):22056
                                                                                                                                                                                                                                      Entropy (8bit):6.676097587903696
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:sy/fjFwUI/KQyVvKdDhG6ISDFWvYW8af0Nyb8E9VF6IYijSJIVxOqADi:suhMaVmzDC6k0EpYi60h
                                                                                                                                                                                                                                      MD5:53C97103B34DBD9384E4251F09EB01ED
                                                                                                                                                                                                                                      SHA1:296A0C99DB385D0177102C23161F57E98CC72197
                                                                                                                                                                                                                                      SHA-256:15F176972DEA11A4B76FF0C9FE669E82E3F3D55951FF1DF7BD39B233FFD029CB
                                                                                                                                                                                                                                      SHA-512:611559389187FAF5CF0748B6947600723A14ED9A789B1A236528F41880FDCEB079D721ADA9F2991366544B0E213CD37B67230C3CD723297AC4C111786C890E6B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............((...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):409128
                                                                                                                                                                                                                                      Entropy (8bit):6.097979108391063
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:bPaYZ6henFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFFc5cbc12:p6heZBJm333M89QAv
                                                                                                                                                                                                                                      MD5:3858D32B6499A109CBB854E1D520B8C6
                                                                                                                                                                                                                                      SHA1:58C3CE821E1099B74904DFD7B34A8D2AF493B5CA
                                                                                                                                                                                                                                      SHA-256:4669C4AFC929FE5DF58B169EBC2463BAC83F867390918B2CA6C21198B3E1B1F8
                                                                                                                                                                                                                                      SHA-512:35E6668F8DCFEFF07C265AA1751274FA4EAB3AEC5643EE526B62244F5662404CE487E7D72822820EDFCBDBA843DE5F406A37F1DE4294960C94B6EF8F153AF5B8
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3.c...........!.................+... ...@....... ..............................v.....`.................................H+..S....@..p...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B.................+......H...........tM..........PM..J...P .......................................6K/.%.L....7.......2.x..`..P.k:k.......0\W.j...;..xX.~..HB..S@.$.m...)4..<S1...C.Y......#ku.k&..2<..i{..>....U...s.'{:.(......}....*..{....*:.(......}....*..{....*r.(......}......}......}....*..0..5........-..*~.....o.....X...v....~.......o......o .........*6..(....(....*"..(....*.0..T........~!...("...-..-.~#...*../....+...X....($...-..-.~#...*..v........(%...~.......o&...*Z.~....2..~.........

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):51752
                                                                                                                                                                                                                                      Entropy (8bit):6.234006910981014
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:Qzpj9H0/bvvmNAkkOMo/23e3vggrkrD9Bxjpm2yuIFLlHTUpa/hDuyEpYi60Wt:QzpjF0/t043e3vggr83jMYa/hCT76Lt
                                                                                                                                                                                                                                      MD5:E5AA555797EE6B66234B12FFC66294CF
                                                                                                                                                                                                                                      SHA1:8F8E00792BA4F560CEAA0AE921AAE35686BAA1A2
                                                                                                                                                                                                                                      SHA-256:5683B28288592916552AE470507C7A7C9758BF90B6C444A32DA9DB9CB0EB09C2
                                                                                                                                                                                                                                      SHA-512:C1F27291F806ACC3B7E1F3788DDE7759E73CB3BA46F8F69E665AC05ED9901D8EC6A9F32C333607F4A312BE21E934C6176ED37CFAA58CEBF07F7319F79BDB9595
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ..............................z.....@.................................X...O.......................((.......... ................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........J...g..........p...0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):138280
                                                                                                                                                                                                                                      Entropy (8bit):6.178587040008723
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:xP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IJH5:xh0qjC5RMOHO420kN1C
                                                                                                                                                                                                                                      MD5:0297D137B4074D003828F8B32E0C8FA3
                                                                                                                                                                                                                                      SHA1:361D49888CBC6AE53EA7A0BB9ACC794D0D7FB728
                                                                                                                                                                                                                                      SHA-256:9FE2BB55D334023DCFC7925582D6A7B3A3635A0406D9F90FEADDEA8EF8CBEE48
                                                                                                                                                                                                                                      SHA-512:AB474DE4267C014B4662DC71E540E0196EC1F6847B931B381C01750A81AA255EA2369BF3621C48C59E1CB8E912B91854AA190A38F9A79B8476EA1AA153FC339E
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`.......o....@.................................3...O.... ..0...............((...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):17960
                                                                                                                                                                                                                                      Entropy (8bit):6.671037715639926
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:yh06sbbVVPWU2WYNNyb8E9VF6IYijSJIVxeBo38:yy9gpEpYi60Ah
                                                                                                                                                                                                                                      MD5:C10B5E1564AF42CEC775454CAB8F5A47
                                                                                                                                                                                                                                      SHA1:E23F9E1F26B751C8A69AEAE1ADEFC671E50183D2
                                                                                                                                                                                                                                      SHA-256:E64018A03E1EAC23F31A32B51AB3CB5FDE9F18BED54221BFE8437DA740AE1BF5
                                                                                                                                                                                                                                      SHA-512:C83D522441521BC57A3B947534499C23BAFD5DD71220A0349DD140995E8B59254DE15823B10B975347563807854441E23DEADF2B3367241893AE0FD77C35A092
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ....................................@.................................@3..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):27176
                                                                                                                                                                                                                                      Entropy (8bit):6.332608170737532
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:6n1VM0JrpNWDcIh6leOiDFIFBYp1+yWEpYi60V:6nvXYcIh6yFIFBYpcyX76s
                                                                                                                                                                                                                                      MD5:E6EC9F19869FF3DA53F003667220A4E8
                                                                                                                                                                                                                                      SHA1:2D95B5DC4EC0013D1A8CF04EA9BC54789DC5435E
                                                                                                                                                                                                                                      SHA-256:AA2C8CA7B15429B23943B459A0970D5E9BCB73BAC98886B22E924DD00BD48267
                                                                                                                                                                                                                                      SHA-512:02193E2983C4BBCD74C178279F19A0691AD3AEB18E4474E43A202BEC7C76BB1DCC9D76744B7AD803FEDD667D88EFE92B445908F3F1FCA87D89FC491042773A9E
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ..............................O.....@.................................dW..O....`...............B..((..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):73256
                                                                                                                                                                                                                                      Entropy (8bit):5.953030587257899
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:w784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAsk76nc:w7N1r9KGI04CCAskwc
                                                                                                                                                                                                                                      MD5:252FD342F5758A63A2AD972A89C6AFCB
                                                                                                                                                                                                                                      SHA1:7406EDF1BCF0765C5850578BF0BDE424490A3279
                                                                                                                                                                                                                                      SHA-256:290366591DEB85496FD224748298F7A830587D5B438F519442E34932FD916C04
                                                                                                                                                                                                                                      SHA-512:217800538609CA30957D9EA539DD68A94793EEE2F3121A14CD53D02195495F866FB17CD3414922ABA133FFBA3622FFB7C163E237B14F5D6CDB682EC7E6D1AC49
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):4019
                                                                                                                                                                                                                                      Entropy (8bit):5.255676635670414
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:0OgDOJdXg8OJxgFOJOgYgOVOhVWgBNNXzHSxBNN4zPzRlXNzSPeZgg9dSjedcdSE:0DGdQpO4DH8afhbZh9A6qA4AAADjAN
                                                                                                                                                                                                                                      MD5:FB09E8700F6897042807DF07A0890961
                                                                                                                                                                                                                                      SHA1:64A9679EC8D0D325A46F52D326A123A8FF019765
                                                                                                                                                                                                                                      SHA-256:94F8ADA475D830FD5EA129D779B06B8E3528603BE5C89FF5360CDFC8C6DD7F40
                                                                                                                                                                                                                                      SHA-512:B05A46564D6B9EC2505DF8B7507145CE9C75347D034AAEF8D8A5F3FFE66C192A4AC9CA5C495BF71CE0A9A422F14A07E5CE4C89EA402C940787FA57C3126D9166
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:2025-01-14 13:35:20.3635|ERROR|WindowsWindowedEventLogProvider|Error on retry number 1: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2025-01-14 13:35:21.4573|ERROR|WindowsWindowedEventLogProvider|Error on retry number 2: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2025-01-14 13:35:23.5042|ERROR|WindowsWindowedEventLogProvider|Error on retry number 3: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2025-01-14 13:35:26.5198|ERROR|WindowsWindowedEventLogProvider|Error initializing last processed events, ignoring file, exception: System.IO.FileNotFoundException: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...File name: 'C:\Progr

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 19, database pages 12, cookie 0xb, schema 4, UTF-8, version-valid-for 19
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):49152
                                                                                                                                                                                                                                      Entropy (8bit):0.9368335820871025
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:mu5C4OoNSN1eN+5NmKZDzWL8OO7QzyO+pA:z5PsveM5xtzy8OO7QzyO+p
                                                                                                                                                                                                                                      MD5:6CCF37E3FBD9F4F1B9D19398E3620886
                                                                                                                                                                                                                                      SHA1:38325CD7A95819C36137CE566B0D0B393367DCE6
                                                                                                                                                                                                                                      SHA-256:265465EC189876D9B5C4D88C27C3FD48130B8331E5FF1A0C8C143F535F687A43
                                                                                                                                                                                                                                      SHA-512:4D5EA68FA7DC9A1F7BA95113E2BD83C98BD394699D9049712CAFA22CD1816AC42D3469CF30E227E2391F395CF296D0F5ABBB49EF32DA03E95C17A10CF39FAE0A
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................c..............Z...?.j...I.:..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db-journal

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                      File Type:SQLite Rollback Journal
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):8720
                                                                                                                                                                                                                                      Entropy (8bit):1.895142718848188
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:7MovqsFu5C4OZUlFJNGdNGveXXQXN+5NG1ZG:7LPu5C4OoNSN1eN+5NmG
                                                                                                                                                                                                                                      MD5:0113D24E67F073EAB26407D27CDB128E
                                                                                                                                                                                                                                      SHA1:453F908F6DFDA5489602DDA2ACDEAF1CF768E0FD
                                                                                                                                                                                                                                      SHA-256:BE5B82D463BE1DEC4D7F628C179B7504812005D4365D388F040E298E5B7BA17C
                                                                                                                                                                                                                                      SHA-512:FF178F80C92E8164615B424B6622BB6DF27F2147F0295A32D49496E6462256B3E638C2241D95FDE2848B7EE7B4E45071EC2C5E1FA352ACE587ADEB93F56F9F97
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.... .c.....\i.P........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1799208
                                                                                                                                                                                                                                      Entropy (8bit):6.520425420963731
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24576:WuvfmOhyS2RuhV0yGzcuHpRs8ulCfUk+qKuMhUwqPevJ8QNYfjmqBBLbNFEohFYi:hHmUMohVWpu8ul0UkTgNCfyo39
                                                                                                                                                                                                                                      MD5:2DD13A5E8B126E524393BAA28A18AFEC
                                                                                                                                                                                                                                      SHA1:9A0E98BBBDE36C58A717F2E4C7AA63437B08DE13
                                                                                                                                                                                                                                      SHA-256:034E3B1EDE4A4F55BE311F2CD5EA060ED34262E6A55C0A6E9846152874E87A5A
                                                                                                                                                                                                                                      SHA-512:AE4DDF208E62A23648089EE54FCA2B6F5668FD02BB687AED1C899B62620D55249F638441D576B21FD9555776888C7FF8006092E08C77A39C86FE1D07994D6715
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............g...g...g.>.....g.>...B.g.>.....g.3.....g......g...f.^.g../....g......g......g......g.Rich..g.................PE..d.....c.........." .................n...............................................6....`.........................................`t.......e..x....`.......@..`....L..((...p.........8...........................@...p...............`............................text...$........................... ..`.rdata..............................@..@.data...0........z..................@....pdata..`....@......................@..@.rsrc........`......................@..@.reloc...,...p......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                                      Size (bytes):1475624
                                                                                                                                                                                                                                      Entropy (8bit):6.791755112478489
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24576:US3uuk58wXpQous2GCzbHwGTzsIDQAKub0MBsIFBm5fi/5ATA9NTTPjXWJD8qB:PdwXpQdNVNDQubXyi60jXTW98qB
                                                                                                                                                                                                                                      MD5:1DB9AFF80C0290760E80567C8E55BCDF
                                                                                                                                                                                                                                      SHA1:F609878ECD10C56C11ED80B3C6DC875444543E6D
                                                                                                                                                                                                                                      SHA-256:2F7DADC4BF447B8BB132A7BBC6D5F6FFA560B419E14403B77AAD30734006CBFD
                                                                                                                                                                                                                                      SHA-512:31C55E74016721B084E0A285A17890DA5AC703C17BC346CE59346E291F03B833C12B8429AF6794D2F16DE203F912C1D88D54B666B5904270A5F4DD21E848CB79
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.rG^.!G^.!G^.!.._!d^.!..]!.^.!..^!.^.!.))!O^.!Y..!D^.!G^.!.^.!d.B!F^.!!.Z!F^.!!.Y!F^.!!.\!F^.!RichG^.!................PE..L...r.c...........!.........*.......:.......@...........................................@.........................0B..:....5..x....................\..((.........pB..8............................1..@............@..0............................text...p-.......................... ..`.rdata..j....@.......2..............@..@.data...tt...`...T...N..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates.zip

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2950671
                                                                                                                                                                                                                                      Entropy (8bit):7.998749206513446
                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                      SSDEEP:49152:Zzp6la8mL4UI0EpZQScJrHOmsBGxL16A5S4GmurSNV6lzb8E4Ow3ntOR1:OI8CVpEUBlltLolrWoznw3to
                                                                                                                                                                                                                                      MD5:AB8D85C093D6F0180BF09EC0F466B78B
                                                                                                                                                                                                                                      SHA1:1DAF355D14D45B1E411F96FA394A98A84C09E53E
                                                                                                                                                                                                                                      SHA-256:D1E08C8DBF3BFC34E3FDFC390D2E7F5B871F95376E7DDA93E3DD0051D580DB40
                                                                                                                                                                                                                                      SHA-512:2882292301E1FB85B410570ECE6CF05F3E89968A02450DBA192A1F97282F1C08ED30819E3D36C524FBA3BAEB6A2C22A10A762C8313E8823C07554B4B975CC00E
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:PK..-.....1N.Y..F.........6...AgentPackageOsUpdates/AgentPackageOsUpdates.Common.dll....(r......I?.......'r.......kN.....r].....x.".3.0.......~....j.).[...i....G....[.\..I*...}q...p.(..!./&.ECZ..w]..Z....U|-..8.L..4.N{.3z.......~a..i.........x.....%.r..7...q..W..J....5.W).*\.Q(...;".I.UB.....*.~G......X/>..$C.R.qD.1.........9K...."ER.....Cx@p..`.....<Z.sr.^...G....wr+|....../.Z.^x..r.J?5...3.}....{(^.]...7>..7.#..B..m............M.}.../...B...I....T.n..rx9...(u"....&&..~..s......q.^...!.N6*.if._.bX.....q@HF.....=.(+..U. ..`.t.?.Xq2.\.e..}...b.0|.$.9|....I.......T.....D^.Ux......|.[Z].'.x..d...r.+Xg....&..M$J.=&M.....|n.....M..7.P^.*=$...I,..... b...+..Q.!..v%...D........K.&u.7..T+...\....A.u..\+.p..a.eI.T..{.j.pX..H.#....5Y..Lwl....7.7.....I.'..M.._{...J.$r..mEp.ZC...gFP..q^}....2)..+...35Y.$...M...>p.Nm}e........+4..@%],8..=....1d.9.6........_.S..g9.[.H..X..le......r4.'..[.N+m.v6I(RIh_..,.d.o.e..t.+D..'#u0.dw.v.T......5...'..3

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):29224
                                                                                                                                                                                                                                      Entropy (8bit):6.373827321096345
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:BpWI4FJ1CsZ1pL375SImXkmlkgGIW2W8f8Mn0DpQ8fz0m1NNyb8E9VF6IYijSJI+:vlexZT375i0qvT+b7z1pEpYi606g9U
                                                                                                                                                                                                                                      MD5:7C7EE1A3814D383F682C3FC35779B36A
                                                                                                                                                                                                                                      SHA1:1A1FCA5A7417DA277CB1524B44ECFA58869610F9
                                                                                                                                                                                                                                      SHA-256:7802C8F3F7CBC3AA4F2E0481804149F1C92FFD8BB2AB2437F9E01A7EAFAAFE33
                                                                                                                                                                                                                                      SHA-512:7D50A1BB87B1FA98FBF6D54C1A53CF3C1E682DB334C9AC310442DA6440F084FB9FF32430C7E0C72EBD787905F55810D3C4846CF60A0675C2467D0BF6B53AD719
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..@..........N_... ...`....... ...............................R....`..................................^..O....`...............J..((..........@^..8............................................ ............... ..H............text...T?... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................-_......H........*..`3..........................................................:.(......}....*..0..X.........(.......o......-.....>....o......2.,..o......,..o.......{....r...p...(....o..........*.(.......$..........&...........88.......0..M.........(......-.(...+..8.o....../.,..o.......{....r{..p.......(....o....(...+....*.......................&&.%.....0..].......~......o......-.~.....o..........o.....o........{....r...p......%...%...%...%...( ...o......*....................0..O...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2006
                                                                                                                                                                                                                                      Entropy (8bit):5.012466327549389
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:327h+1/gF27RgdSagFsg+w3jdgDSg+CagFPr7:K4Mw9cr7
                                                                                                                                                                                                                                      MD5:DE33D7BC716E96683CCAEC7E3DECC54B
                                                                                                                                                                                                                                      SHA1:6CAC5E2AE17A91F55760F3652DD1D954CFE34848
                                                                                                                                                                                                                                      SHA-256:E9EC2DB29E1A7F44D6FAD976E29627E2EBCC1C9FD1797D56A69106260B70B65D
                                                                                                                                                                                                                                      SHA-512:353BF5BC4E47C7218CD3EECEE83301950FAA7D48644BEA3FE2F47B5AB432D43B466EBCF8E1A1911923EC423D30682A8FA42A3EA878E7D85C8E91EC841543B887
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):201768
                                                                                                                                                                                                                                      Entropy (8bit):5.74845613160659
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:gi5nVoxzGZzezm87EmUQ9XILSWUPH309T1qT2tl/pR3rPd3iqiTjFvd0uhH:nRVICezm8779XI0/YTx/pFLNiqiTjddN
                                                                                                                                                                                                                                      MD5:D0D21E16E57A1A73056EAE228DA1E287
                                                                                                                                                                                                                                      SHA1:AB5A27B1D3D977A7F657D0ACDF047067C625869F
                                                                                                                                                                                                                                      SHA-256:3DB5809F23020F9988D5DB0CF494F014A87B9DC1547CF804AE9D66667505A60C
                                                                                                                                                                                                                                      SHA-512:470BAC3E691525FF6007293BAC32198C0021A1411BA9D069F88F8603189B1617C2265FE6553C1F60EF788E69AFCB8AA790714C59260B7C015A5BE5B149222C48
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y............."...0.................. ........@.. .......................@.......C....`.....................................O.......4...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc....... ......................@..B........................H........... '............................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. K.. )UU.Z(.....{....o ...X )UU.Z(.....{....o!...X*...0..b........r...p......%..{.......%q.........-.&.+.......o"....%..{.......%q.........-.&.+.......o"....(#...*..{$...*..{%...*..{&...*..{'...*..{(...*..{)...*..(......}$.....}%.....}&......}'......}(......})...*..0...........u.......;..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1780
                                                                                                                                                                                                                                      Entropy (8bit):5.027025756159462
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:3rrL7h+1/gFSagFsg+w327RgdSg+CjdgDt:7r34owoR
                                                                                                                                                                                                                                      MD5:09CDFC3063DEC485A3C48111D5CEE297
                                                                                                                                                                                                                                      SHA1:02CEFEC66B6B2EEE120F97493D438F3B270AB5CA
                                                                                                                                                                                                                                      SHA-256:0ACF70AE533AF7D079F370AB3102B9563CA4C447C5DFC7A20C88AABE04295C01
                                                                                                                                                                                                                                      SHA-512:CA39056F79EFC8CE050FCCE1AAC21B2E7B62E65A0521E3CABF90C58A7249107658C2D208706FEC456CCC74D58DCDC22E23ECBAA43684613D4826505A426E1CB7
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <depend

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.ini

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):12
                                                                                                                                                                                                                                      Entropy (8bit):3.418295834054489
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:WhWA:Wp
                                                                                                                                                                                                                                      MD5:9A5E9A329E4E73E0C499371205A810DB
                                                                                                                                                                                                                                      SHA1:5B6D85657D4ACD89867283FBE372E9E85C30686F
                                                                                                                                                                                                                                      SHA-256:D109087C4CA318CAD74B7560C32594D37181885ADBDC9348BA1DD35D47B35B92
                                                                                                                                                                                                                                      SHA-512:02BD5261B9E795ED5A07BADD65A6CF71D18751452FB44BDD424DFCC6C50BA7441E0066B125E731018FD6F1A8A002AC4E6961C7EFF21C36FBDA58C8015A100C43
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:version=30.3

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):102440
                                                                                                                                                                                                                                      Entropy (8bit):6.1906245131779745
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:pPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OLv476sy:p2bYbYSWd85I5sSakFQhHLv4m
                                                                                                                                                                                                                                      MD5:D33CE12A25C2675057480654E98ACDC5
                                                                                                                                                                                                                                      SHA1:71F6AFF63988BC9FC9E8D08DBD0151F62E6A8647
                                                                                                                                                                                                                                      SHA-256:F188D7C9B9C35462C556CF87A6F0880B5BAF395CE255F57076CF9AC8DC0E1A2A
                                                                                                                                                                                                                                      SHA-512:DBD65A27A33AC5C3507716E89AE40413B4C2AAC3BE7415977E9447FD89FB7164B7DCB6A8B8974434AE04A7A6917DB32810F1E278EEAD2590C327E30B9A125D1A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ..............................u.....`.................................`}..O.......8............h..((..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):95272
                                                                                                                                                                                                                                      Entropy (8bit):5.9964164933276605
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:A4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkjUB76654:A4auS7S5Ea6WMcpuUBL4
                                                                                                                                                                                                                                      MD5:FB232BA20FACFAD72C87477E1B2B3D72
                                                                                                                                                                                                                                      SHA1:1DFB6577FE0E2E2C60D3848AC588E94F7D93EAB5
                                                                                                                                                                                                                                      SHA-256:828092942C6967EBBAA62BB4F0AEDAAA97522888B59D9DDF708CB863B9D2075C
                                                                                                                                                                                                                                      SHA-512:EC546864F910B72A2723B60C3FA580F6CAE753E623EBE90884B70EBF93E8B511028B355E03F3282D8C5FBC82B6E128FD0893046103DECE289BD371730BA31C53
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ....................................`..................................`..O.......4............L..((..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16424
                                                                                                                                                                                                                                      Entropy (8bit):6.656724826773557
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:aXh+/DtY2PLNyby2sE9jBF6IYiYF85S35IVnxGUHFeFlWNZrO:aXh+tY2jNyb8E9VF6IYijSJIVxaFatO
                                                                                                                                                                                                                                      MD5:B1224C51F1E9A789EE35AD5218220D2B
                                                                                                                                                                                                                                      SHA1:78043C5AE8AF03B893A4A7C28AB47566A0764B1E
                                                                                                                                                                                                                                      SHA-256:662723280B3F78040BB1DAA661F41AC4D5C5361827273541B569F0B5D1602125
                                                                                                                                                                                                                                      SHA-512:46735609B77A36745CA0BBB353FA1DFE2294382F7F96562C84CE30751D8340C184E62B1FA0DACB2483F5A62166A691CD1A547D2310F9DAE01C3423BF1267E47D
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ...............................(....@.................................",..O....@..(...............((...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):75304
                                                                                                                                                                                                                                      Entropy (8bit):6.241390537473756
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:Hu2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYA:OF+qo7mDEwj4NXLGcfgruFcaD76jZ
                                                                                                                                                                                                                                      MD5:7EB99AA11E05B3EFA0F65A4435FFB315
                                                                                                                                                                                                                                      SHA1:F07773C71BDB5769667B38E531AF58F64445F74B
                                                                                                                                                                                                                                      SHA-256:0AB86983F01493D5B8297A99BAB27CBF097A4FF68384C1A039DC8B1B0C302C17
                                                                                                                                                                                                                                      SHA-512:6E79E621D2893FB51933BEA95376B40CBBDA947B74A2AF7604166C821D6E8CD98BC357DD8DC16E250E7176D0DA7E19AA3D4702D4149E4215F0BF6D38A9CEBDAE
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`............`.....................................O.... ..................((...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):51752
                                                                                                                                                                                                                                      Entropy (8bit):6.405565171295978
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:ZQMnMYnUFMSptE7C+t2RO3neZN8752vwzE8Kku6ZFMLcyXXEpYi60k:Z9MYn1seLE8JFMLcyXQ76h
                                                                                                                                                                                                                                      MD5:11AA54E91257EA281D455DB6B77811B9
                                                                                                                                                                                                                                      SHA1:13734726D6CB87F3A02E78A2C68FC2A35CAC9B24
                                                                                                                                                                                                                                      SHA-256:63E84943E0173957D2B3869CE2E0134359FB36F5DCCEE1B8A9B1029071039D2D
                                                                                                                                                                                                                                      SHA-512:2539F92E62CD67EAB842E5A982A9611B0828D547D18BE30DD8A69FA7841D629AE9E9589A41A36D472A9E68DC7CA1E063A8CE4A9D526B5266B7BB1BB5FFC4FA3C
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ........... ...............................P....`.....................................O.......4...............((..........4...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................R.......H.......XE...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):145448
                                                                                                                                                                                                                                      Entropy (8bit):6.203592588382526
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:zRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIhO:t9XeDmzV2yzlhKLFU1lLVp1+2flYFnQb
                                                                                                                                                                                                                                      MD5:C0DF597621C8B37AF65BB61DE0C42AFF
                                                                                                                                                                                                                                      SHA1:7676065361D8822586F8A2E06C5D6BDDD23A3EEC
                                                                                                                                                                                                                                      SHA-256:F616623B4CC8999F0DCADC73F98BCC4289EC90CDFA0749EACB3FE2F0401AB474
                                                                                                                                                                                                                                      SHA-512:4F43937B440B23145F0A87295AECF7160118D71BCD1A0D2650FC025C7A630F5AEA773A28593F77C67A8C2C55FDA7299BA3F0C09BDAA4532FDAE9FF88C673B393
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ...............................U....`.................................#$..O....@..|...............((...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):96296
                                                                                                                                                                                                                                      Entropy (8bit):5.6334365923289385
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:92kKfq2RQuKDMOoytxL2L4zP+YuqL2zL7SAaDx4lbOw6OhkW76fJrk:OQmyxL2L4D+YZL2X7SAaqywjhkWerk
                                                                                                                                                                                                                                      MD5:372842434C221E20896C8F46EDACA92C
                                                                                                                                                                                                                                      SHA1:F58A0757262F84933744252A0B4FC1D38F15DB77
                                                                                                                                                                                                                                      SHA-256:FA88BB99081003615E0BED4FA5AA167333DBE0B05A1A63B51FAA5DA7BFBE5663
                                                                                                                                                                                                                                      SHA-512:A1A9A8B073F0323ED64D21A894BB93CC86157F3B8B576D1496854D26AC05334FA124E094F60E632C0F49B117B7DF0124AD2C5329A2E34F94D0A34333D0DB242A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....W...........!..... ... .......7... ...@....@.. ..............................s.....@.................................47..W....@..p............P..((...`....................................................... ............... ..H............text........ ... .................. ..`.rsrc...p....@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):386600
                                                                                                                                                                                                                                      Entropy (8bit):6.135937789568278
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:9sETsbZnV4Nsaw8MkaybNq0qJh1rDHq4so8maLvdGCBg/8Q/ZmvEyJ:9sbZnMfwWFKFrrWa8BvEyJ
                                                                                                                                                                                                                                      MD5:32C2B12FDB90808935E6EAEBC0C5FD78
                                                                                                                                                                                                                                      SHA1:A18B77B7BCC1D041407D7156601F3B5348656B02
                                                                                                                                                                                                                                      SHA-256:35A59D6F04E98951767DE04524EB64B7CA726E205991CD0931527F455BF0F3F8
                                                                                                                                                                                                                                      SHA-512:CEE29FA1F7F976A4DECAAB7C30FC4951D540A30DD2EB4515605BB62CF0ACE9E8712CF9FAAA4DFBF7B6B60EEE5A9A2C5CF1A46785322D15CA2BC8F528225C8004
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ....................... ......_.....`.....................................O.......@...............((..............8............................................ ............... ..H............text...0.... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H.......T...$...................x.........................................{0...*..{1...*..{2...*..{3...*..(4.....}0.....}1.....}2......}3...*....0..q........u........d.,_(5....{0....{0...o6...,G(7....{1....{1...o8...,/(9....{2....{2...o:...,.(;....{3....{3...o<...*.*.*....0..b....... ...u )UU.Z(5....{0...o=...X )UU.Z(7....{1...o>...X )UU.Z(9....{2...o?...X )UU.Z(;....{3...o@...X*...0...........r...p......%..{0......%q.........-.&.+.......oA....%..{1......%q.........-.&.+.....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.83810396352101
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:7N9VWhX3WseNyb8E9VF6IYijSJIVxF5WGJ:RGZmEpYi60h
                                                                                                                                                                                                                                      MD5:E88A7FE06B461A6EA66D56E239910CC3
                                                                                                                                                                                                                                      SHA1:7CE72B25B887DDAD309ED0C7EE2A504AD1913B9A
                                                                                                                                                                                                                                      SHA-256:625D7259448DF2BAF8844310FB95415F00B8BAA4F8300CE2C43F90CA9AD523A8
                                                                                                                                                                                                                                      SHA-512:BA607172615D676E9786C4E3E92316BFACFE2589D29F4AE95B1F2FD967663812520A40ABABAF7ACC844E4D01190B084460BC5BF82B9EF183DE3684CC433FA90F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............(... ...@....... ..............................m.....@.................................T(..O....@..0...............((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l...|...#~......<...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):331816
                                                                                                                                                                                                                                      Entropy (8bit):6.1686260686243735
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:VBhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNTn:VDMUWITZznu85k8Wdn8KmCjIFi3Vvb
                                                                                                                                                                                                                                      MD5:84688C58A26961FB5CC64B9C07245201
                                                                                                                                                                                                                                      SHA1:B823A565015EA4D6056FB776C2878DCFBD45F65C
                                                                                                                                                                                                                                      SHA-256:2AFA0F82215A9821746C680EC3CF8358244EA71689A3074EC8BB1BEF7D39DD67
                                                                                                                                                                                                                                      SHA-512:162AD6C55E9F3E7E7962885FE0AFD292C73DB9469354760BA0E949B9D8BA5E6657ADB7768D0432CDED9128D82293B3D1B8A933908D09FC07E95C7A6BAFE94ADC
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@...........@.....................................O.......................((... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):883752
                                                                                                                                                                                                                                      Entropy (8bit):6.071445078992113
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24576:E1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQS:E1n1p9LdRN39aQZUqD
                                                                                                                                                                                                                                      MD5:B65642D5C268E5335B6D5BFFF0690DB0
                                                                                                                                                                                                                                      SHA1:A58882087ED8377F88F9BAA6E448E64D214BD048
                                                                                                                                                                                                                                      SHA-256:7A202887AC81D4C379102C5E66EC02AE6C58DEBDE9AB99D72B50263F83862B7B
                                                                                                                                                                                                                                      SHA-512:8E7DA62E9D0E288DC9EFC9559A2640A0C05435D6A25F8023857256A4B4C9AED55593220A930ACB6D171E01D968F1B2CD9748191DE7E242707E1704D140980B03
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ...............................I....`..................................c..O....................T..((.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):710184
                                                                                                                                                                                                                                      Entropy (8bit):5.960272795417215
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:IBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUc:IBA/ZTvQD0XY0AJBSjRlXP36RMGB
                                                                                                                                                                                                                                      MD5:154279B228E454EF4F2C00E6641C4156
                                                                                                                                                                                                                                      SHA1:7ADC7DA40FAF7F84E5F7EFC1CEA2B1A782B6444F
                                                                                                                                                                                                                                      SHA-256:24FA79B003DC41A0C8BB5B093C84767747BF92679559B329A5F97CB1BFB7E9ED
                                                                                                                                                                                                                                      SHA-512:9D521972D56F47824D35E47BEB3A1AF8961CFD55E1C4CE07053BAC373CF80A980C5415D0E5CEAEBF71EBBBC087D76E633286094516CDD4B2F987CEAE00DB37D2
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... .......'....`.....................................O.......................((.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):285736
                                                                                                                                                                                                                                      Entropy (8bit):6.184607903346133
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:vZAWDkTmokB1QI3A5XeedC1OcQykFlE1WhOMiSdNrgClZ73HpsP+zvz:vZU0BJwuOcrl1w7HX3HW2
                                                                                                                                                                                                                                      MD5:57A1AEE6DE2FA4131930B08624B644D8
                                                                                                                                                                                                                                      SHA1:8823A7D95F04C5E09F00858EEC8E79FBDF19FFD8
                                                                                                                                                                                                                                      SHA-256:C4146ACBDFAF502E9D48817D75C3E55C34DD2FD809B1256C25E151F431D09650
                                                                                                                                                                                                                                      SHA-512:476E308A37B7EE55380B5C70A1CF5E4F9269E5D29C2987CE2B67060069D256E2797DB21185F1A1688284EF455764278E9C27CB11CDBB9A6AAB4A81822EDA05C9
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............" ..0..*..........&H... ...`....... ...............................<....`..................................G..O....`..L............4..((...........G..T............................................ ............... ..H............text...,(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H....... d..t....................F......................................^.{....,.(F...z..}.....*^.{....,.(F...z..}.....*"..(K...*"..(L...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):25640
                                                                                                                                                                                                                                      Entropy (8bit):6.561297207852954
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:yAQk7qYbA6fXDpLk5LHAxOEaGxBtNXNyb8E9VF6IYijSJIVxsfJH:R1LOg3BtNbEpYi602H
                                                                                                                                                                                                                                      MD5:972828A8463F21F9D3C52893BEA77D25
                                                                                                                                                                                                                                      SHA1:135C36153186F2BE11B7EE4F7122310000B3EB71
                                                                                                                                                                                                                                      SHA-256:7D39C2DA637722ECB4D54846B0378D7BCFF82378A5C3FE1C699977AF7F8E368D
                                                                                                                                                                                                                                      SHA-512:B99D577447B031F45BD876B1A26E4B72503359EC743FE4A9A28CF2014E24D3AFE542F7FA961D22B184E5758AFE66A17A7ED1FF738FB8F24A4283DA5C2C2F72D1
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."...0..2...........Q... ...`....@.. ....................................`..................................Q..O....`...............<..((...........P..8............................................ ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................Q......H........*.. &...........................................................0..:.......~....s....(.....(.~....r...p.o....r...p.o....(....o......*.............(......(....*.s.........*.0...........(.....(....o....r...p(....}......}.....s....}......{....s....}......{....s....}......{....s....}.....s....}.....(...+.~....%-.&~..........s....%............s....(.....{....s ...}......{....s!...}......{.....{....s....}....*.0...........(....,..(....*.{.... ....rU..pr...p.o"...u(.....(#.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2029
                                                                                                                                                                                                                                      Entropy (8bit):4.997010915207503
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:3Aruz7h+1/gF27RgdSagFsg+w3jdgDSg+CagFt:wruv4Mw9y
                                                                                                                                                                                                                                      MD5:A1DB8C019769BA7256F40E580304C782
                                                                                                                                                                                                                                      SHA1:6C0D70EE9CEBFC288A88B100F59D5554F8C42A35
                                                                                                                                                                                                                                      SHA-256:FC68DEF71CD783C53B3D106317F879E544E3443A55AF195BDD6C663F8051A96F
                                                                                                                                                                                                                                      SHA-512:795C141D06E70CD0D91ACFFE74F519EDB78382588B10927D456D20AA70D10BADCF02A626B8B666B00B21CAFCD555F03029D16EFAABCF1D762D58AA8095B6527D
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependent

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):210984
                                                                                                                                                                                                                                      Entropy (8bit):5.348173320507078
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:rsMNkrE4AOS3ncIzkq2ijc3Y28MNwH5Z54a7v:wMNkrE4AOqcIzQijLt
                                                                                                                                                                                                                                      MD5:9098FDEBF06AD4F86DBC6567B8F0E889
                                                                                                                                                                                                                                      SHA1:6B38B07BDB90F452591D4679BFE5CC436E048E48
                                                                                                                                                                                                                                      SHA-256:D85301799C1080DD41E88CB37FC4D27465E2AD888ED527EB28BB2A2A2EB8E03D
                                                                                                                                                                                                                                      SHA-512:E7F54A26E75FF693C2484B78571BFB95F95E6802BB37E4AAB622C4CA095C247A9A729AB025784078C29ECA58C23FDD01D9BDF0DA166A096B11D0E6CD7DB4CC7C
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z............"...0..............;... ...@....@.. .......................`.......p....`..................................;..O....@..@...............((...@.......:..8............................................ ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......@......................@..B.................;......H.......H$...............................................................0..;.......~....s.....(.....(.~....r...p.o....r...p.o....(....o......*............(......(....*.s.........*.0..x........(......}.....(.....s....}.....s....}....(...+.~....%-.&~..........s....%............s....(.....{....s.......s....}....*.0..5.......(....--(....o......(.......(....+. ....( ....{....,.*....0..I.........i....*..{.......o!.....{.....o...+.. ..{....r!..p.o....(#...o.......*.*............'..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):19433
                                                                                                                                                                                                                                      Entropy (8bit):4.9963400212242055
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:hrg4CdkumUwfGReGWeGFuGgeKCUDuTeHOTu0U5e3eTOaUmS0SXStuKhubUfSJeZY:hrPOPUDCTHffIz
                                                                                                                                                                                                                                      MD5:78AE9CC6C7B11BAC2B18E82FC7623CDB
                                                                                                                                                                                                                                      SHA1:8314E6F35448B820C7C703FC3E4DE598D2A51AEC
                                                                                                                                                                                                                                      SHA-256:D3841AA3440CDA26776DDE128157294E69A70B21344D5877D640C457353C2DCB
                                                                                                                                                                                                                                      SHA-512:CE6A750E75090487C47095B80D47F5AD0C3D3DE4D6EC58A01E14CC694600FEF951AE371DD2A1B82C756ADD66825611B13240DDD3AAE6339ED85DBD3392DED7E5
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Numerics.Vectors" pub

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):284200
                                                                                                                                                                                                                                      Entropy (8bit):6.116902682924283
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:3ZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xH+:pgo0WPVTXge
                                                                                                                                                                                                                                      MD5:988C9D7CB794FB98A0F00B1CAC123D30
                                                                                                                                                                                                                                      SHA1:731A6D91362D0B4245FDD328B17E6F505E48EF80
                                                                                                                                                                                                                                      SHA-256:1F3ED7348B7C41CFFDB9A062C9B654931ED590C77EB4836BCD77A7C64B0AC39E
                                                                                                                                                                                                                                      SHA-512:AF6DE7DC4C78C8C2055BDC99FE9C650E5C44470F0913C3B8D495B7846F63BAD0328918E73C04A542DE4E67C800FCD83925F11C3D174C8C8E1F07D27497AA95E3
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ...............................0....`..................................B..O....`..D...............((...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.8059658320981615
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:WDNxWQFWsoNyb8E9VF6IYijSJIVx5+ssR:WDNVLAEpYi602R
                                                                                                                                                                                                                                      MD5:C2064A5B14C1F424718709B04DAF0FB0
                                                                                                                                                                                                                                      SHA1:326FD58B738A32D9DCA68012F5A6DC1750239365
                                                                                                                                                                                                                                      SHA-256:A14785B5EB132463A789C8F8BAFC61743A8E7455EDCFC2D4575DA21E418D60E4
                                                                                                                                                                                                                                      SHA-512:4BD4E5C38F542AE41E4FE2A0FAEA69D8B37096BC523911D2263BE861CBE4A64B9EDE87DD8B3D17DD6B25A57A05038C241171784DD63EF4EA1495B1FBF17B3ECE
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0.............f(... ...@....... ..............................(.....@..................................(..O....@..................((...`.......&............................................... ............... ..H............text...l.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................H(......H.......P ......................\&......................................BSJB............v4.0.30319......l...|...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):22056
                                                                                                                                                                                                                                      Entropy (8bit):6.6706281590582215
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:vrMdp9yXOfPfAxR5zwWvYW8aznNyb8E9VF6IYijSJIVxAyiI:vrMcXP64LEpYi608I
                                                                                                                                                                                                                                      MD5:9FC668EE53969623508CCF6611FD57F4
                                                                                                                                                                                                                                      SHA1:81F19A067020D8B9CC0F9FEBCBC50D94B9630C88
                                                                                                                                                                                                                                      SHA-256:E9880A6D15335C034660442B04F89ED53E1BCF0188B059DEC110A4152F4EF413
                                                                                                                                                                                                                                      SHA-512:41E3C071BED8B32444EE2D55513E91839A6076E2CFE534033290DFBD4E0442CBD985EEB7B15ED4400DA4686514EF45C2B8FC39E690DD3B79D44F1BED24B0AD2A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ..............................U.....@..................................B..O....`..@...............((...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.907673358776868
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:vm2igOWnW8rW/tNyb8E9VF6IYijSJIVxPT89xNgl:XtaJEpYi60w9I
                                                                                                                                                                                                                                      MD5:B1530AF38169AB17993803DCBBC97C15
                                                                                                                                                                                                                                      SHA1:0C4D4B813EB48CAF441C0987583D8E2B4A8E6FC2
                                                                                                                                                                                                                                      SHA-256:79F518D394DCB75B424F364C2DBCB7E114B51DA4C0DE8BAA6CC5559FF781A152
                                                                                                                                                                                                                                      SHA-512:F8A9E3C2BC50CABA0E7BFB2AC747D8DBBAB7A82E361C85212148048E5FD66C4107323943E753090BFDDF7267A7B53390DD61FF954868CA664EB6933F5D7B41E7
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ..............................m.....@.................................t)..O....@..D...............((...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...D....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3................................................n.o.....o.....\...........8...3.8...P.8.....8.....8.....8.....8.....8.....1.....8.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.8985842585077926
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:nnapn1iwwPWcGWT5JNyb8E9VF6IYijSJIVxagmKEFYm:aDur5NEpYi600T3
                                                                                                                                                                                                                                      MD5:0763A802D1B4B276635E612F35E23FE8
                                                                                                                                                                                                                                      SHA1:3C256531D21E35595E3699DBFFD9C9C50CC9098A
                                                                                                                                                                                                                                      SHA-256:C17C283DE1A8ED8FA5438DCB8126EB91511E2C49D0706DA50813E23466679DF8
                                                                                                                                                                                                                                      SHA-512:87666AE8FDC33F07C696B0C0057347376E5EC47AEE0F7FC5EC0070F5846194E9BCC1BF624872C11C4ECFC9F2F7A10E5CD3EFC9591948D5DC41CA43AC5DAFEB16
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@.................................p)..O....@..@...............((...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..t.......#Strings....<.......#US.@.......#GUID...P.......#Blob......................3................................................F.o.....o.....\...........,.....,...(.,.....,...f.,.....,.....,.....,.....%.....,.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.905536792862369
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:qHLaEav5aaUa6arWVLWrMNyb8E9VF6IYijSJIVxg3gDHvA:bPv5t/NOOMEpYi608cPA
                                                                                                                                                                                                                                      MD5:847AC54FBB84C86BB024795BAE96C693
                                                                                                                                                                                                                                      SHA1:D2124E516D2D01B3B840800A15B2B6E2F2DA972B
                                                                                                                                                                                                                                      SHA-256:4B45720B96ECCD3B3F812ED05E4835A5EAFC3FBFD6505D0E7098864F8B4E44BB
                                                                                                                                                                                                                                      SHA-512:A22494D45CABBC91C732D35EA3CFCAB7207AA62F2FDD872E5BEF252F0CE67E1D9524747E420BB09A10262607F305C734F89D7806839D99D1048367323C54F715
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ..............................c.....@..................................)..O....@..P...............((...`......P(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................`.....`...t.M.................................=.....V.................q.....Z...................G.....G.....G...).G...1.G...9.G...A.G...I.G...Q.G...Y.G...a.G...i.G...q.G.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15912
                                                                                                                                                                                                                                      Entropy (8bit):6.75992303278916
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:06iIJq56dOuWSKeWukNyb8E9VF6IYijSJIVxHDRxQxd:GiAuEEpYi609mH
                                                                                                                                                                                                                                      MD5:435008FCDC6949D74403F8937A9DDED0
                                                                                                                                                                                                                                      SHA1:4E9C38420DB7C87C58AEC9271E8A0A968F47AA96
                                                                                                                                                                                                                                      SHA-256:A4A1EA474185E9D56EFCAB64E6A34FFD563CC028A91BB1FE85BFD97773F1FC92
                                                                                                                                                                                                                                      SHA-512:81A7D83D7484BB1B38F9B2164AD42D0D31346626653F9503977942C43F49C7F43227718B50A552AB8D26FA410D08EC8E034B4F71466916B51BC14F1743B38379
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............*... ...@....... ...............................x....@..................................*..O....@..................((...`......L)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..|....................(......................................BSJB............v4.0.30319......l.......#~..|.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3................................................k.~.....~.....k...........*...0.*...M.*.....*.....*.....*.....*.....*.....#.....*.....x...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15912
                                                                                                                                                                                                                                      Entropy (8bit):6.8111682906136926
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:onzz+MpSaLWW0+WCANyb8E9VF6IYijSJIVx1JHtZ:mpui4EpYi607NZ
                                                                                                                                                                                                                                      MD5:A380572A319B32A3B1D2D2D2C198E86F
                                                                                                                                                                                                                                      SHA1:978096C136F070F4D628E7969BF03110275C3E34
                                                                                                                                                                                                                                      SHA-256:2B8D11EC79CA4F85DB4AB9FDD54B13764006051CF6D212B726F15C798A723F9F
                                                                                                                                                                                                                                      SHA-512:34B10A058B1EF692134C37EBE9337F5A1730B70C3153345CB9F9DB5E89F76FEE2FD8C3C129106A8730436C391ABA2D8B4C9F4AEB2B01F64DF2C540A0E0D69346
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............B*... ...@....... ....................................@..................................)..O....@..................((...`.......(............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$*......H.......P ......................8(......................................BSJB............v4.0.30319......l.......#~..t...@...#Strings............#US.........#GUID....... ...#Blob......................3............................................................V...........j.................i...........8.................S.....<...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15912
                                                                                                                                                                                                                                      Entropy (8bit):6.859379458293653
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:gGhr+YUfyHxsW/HW5zNyb8E9VF6IYijSJIVxVUlNb8:XkmcvEpYi60yb8
                                                                                                                                                                                                                                      MD5:4D36FD75A70633F10124CCF793AE139C
                                                                                                                                                                                                                                      SHA1:DDBBEDCA52929A9DCFCAB83D39897B092F8BBCE4
                                                                                                                                                                                                                                      SHA-256:652F384CDBE805992817D54B5FA1B2C680367E0D8C49AEE3C72024C9803ADD66
                                                                                                                                                                                                                                      SHA-512:32905A1EF9AE27309932673DC0BEEC9A93EBA9DD202A8187C1614EE1AEB8B4F93133985F52D60801189130684D49C507455C7AB59DA2FEC31B4177EFD619DA80
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............+... ...@....... ...................................@.................................<+..O....@..`...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................p+......H.......P ..4....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................................Y.]...{.]...6.J...}.....r........... .............................................................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16936
                                                                                                                                                                                                                                      Entropy (8bit):6.785283839401024
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:GRE+ruiA5vzWeNWdSNyb8E9VF6IYijSJIVx4XyHyT:GS9b2yEpYi60YMyT
                                                                                                                                                                                                                                      MD5:6328ADD138DF8C29E75BC14F5D2120CF
                                                                                                                                                                                                                                      SHA1:9E1E01B0FB0EA37CE687EF3E1A4FC267F303DBC3
                                                                                                                                                                                                                                      SHA-256:2635E454447F993496F17722DF0133AAE4BD957F8D15AD759256D55C45B2D9FB
                                                                                                                                                                                                                                      SHA-512:7A69AED46E057318D88CDCDD457C0DAD8EEE58013B44A5C5CA1BACB78CB7AE3DE753D3901C1386476D3C01D4E5965822BC24415BAA6FA5E08D2B2C403964528E
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0............../... ...@....... ....................................@................................../..O....@..p...............((...`......T................................................ ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................./......H.......P .......................-......................................BSJB............v4.0.30319......l.......#~......@...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3................................;.....Y.........8...........<...........P.......................X.....q.....g................."...................I.....I.....I...).I...1.I...9.I...A.I...I.I...Q.I...Y.I...a.I...i.I...q.I.......................#.....+.....3.....;.%...C.@...K.`...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.849856881849517
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:pT+6ywnVvW0LW5SNyb8E9VF6IYijSJIVxcWfnt:p998yEpYi60Jnt
                                                                                                                                                                                                                                      MD5:A4A7F63BFEF46103347EFA5C1F23A84F
                                                                                                                                                                                                                                      SHA1:8947AF46ACFE76152410E3086D7595DC84C1EDDD
                                                                                                                                                                                                                                      SHA-256:3B1E09BB2A59E8EC4251973E8A58DDB993EDAAB976914F9FB09DC32D77B4F9BF
                                                                                                                                                                                                                                      SHA-512:BB71DDE1B6C464828B7FF6095B7F0FCCECF15AC04249DA43C1C57155E1800BCAFADA758E1097D45CB2DE3E5BA82F6F59B74D0C0AFA683935CA37D4B638DD115D
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..................((...`......|'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...h...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....7.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.848390763178357
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:XRbzriaXT+WlEWe5Nyb8E9VF6IYijSJIVxri+t1sD:B7icodEpYi60u8y
                                                                                                                                                                                                                                      MD5:A0700CED3A42A611A476CF0289F86986
                                                                                                                                                                                                                                      SHA1:D4352EBDBDDDA7BD594AA61E5EDE7DA19311C6A9
                                                                                                                                                                                                                                      SHA-256:662D9B458771B5948EB4D1BB1C382B9D9D442877261A26EA83F43FAFBDCA72FE
                                                                                                                                                                                                                                      SHA-512:928AB8830ABB0A389F6863125FEFBE418001A27DA25F277EEDAC99218201DEB659E8B8D82761B5418947E847E6D446288EDA6B09CD51FC41C8C16355149F0DA5
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............6)... ...@....... ..............................'.....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................,'......................................BSJB............v4.0.30319......l.......#~..H...x...#Strings............#US.........#GUID...........#Blob......................3......................................................k.....?.....$.....S.................R...........!.....j...........<.....%...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):148520
                                                                                                                                                                                                                                      Entropy (8bit):5.418180901091705
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:1dYO+3m9R6e1x03BZ6bDSzZ8B0uAP+CSE:j+2jv1x0ebezWiu8
                                                                                                                                                                                                                                      MD5:F204707F338F6C7819482922C0958D10
                                                                                                                                                                                                                                      SHA1:4EC0D04FD7E2B8834A6AE96A2380F97965562E1A
                                                                                                                                                                                                                                      SHA-256:1379BE52E32EAD9795E1F3270B91A29119B59BC7DF16F3B9BD1A0E00954FC10D
                                                                                                                                                                                                                                      SHA-512:68888BA7746EAAAEC6C0AD64B5A8B0EC27547E0A40B98A34109ABA051BEE07082C5359D9E22078E4D0D01B7F09C1075A0F21CC749A465EACC58BD90338FD5297
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............,... ...@....... ...............................&....@..................................,..O....@..................((...`.......+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........A...............?..h...t+......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r;..p.(....*2ro..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rK..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rM..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15912
                                                                                                                                                                                                                                      Entropy (8bit):6.810928431259459
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:XRtRWjYWw9Nyb8E9VF6IYijSJIVxIRMki:nie5EpYi60z
                                                                                                                                                                                                                                      MD5:3C52E43E526A4DDEA7E21D3F6CB0934C
                                                                                                                                                                                                                                      SHA1:48B0A29FC2CBB6E66414D44FE0D36E02A61B501B
                                                                                                                                                                                                                                      SHA-256:12545A778E40FAC4A5842D56E9C5571B7BA370B2A04883A82C1C86C3979F78C3
                                                                                                                                                                                                                                      SHA-512:7F0EBD61CE00268436845C4C513BE19E7311CFDDA5AD90CB6AF6F4274D865649C437240961415DADEB0178E5A26DB2F8B7F8943BAB5ABEDE833F3DCD86E166D6
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ..............................p.....@.................................x*..O....@..@...............((...`......@)............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................*......H.......P ..p....................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings....H.......#US.L.......#GUID...\.......#Blob......................3..................................................-.....-.........M...........[.................'.....@.................[.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.890844337955829
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:nFxrIFWnoW5BPrNyby2sE9jBF6IYiYF85S35IVnxGUHFK1+Jm5RmP:veWnoW7zNyb8E9VF6IYijSJIVxG1+MbU
                                                                                                                                                                                                                                      MD5:039CC956B7A5891ECC3799D805EBF444
                                                                                                                                                                                                                                      SHA1:6F13A284F49B152F14ED6C23E41A4550CCEBD841
                                                                                                                                                                                                                                      SHA-256:E679990416DF09D59345F070E659D13D3F8424FD04642D993989511BB188F7FB
                                                                                                                                                                                                                                      SHA-512:2B23E0B70F345BE16D828537BCE22113DF136DA76F23B1227D11AEE653D5D73FB5CB87FACE86CB378F1C9CCAD564F1BF351C522F719716B02772389073CB64F4
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................:....@.................................X)..O....@..$...............((...`...... (............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................)......H.......P ..P....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings....,.......#US.0.......#GUID...@.......#Blob......................3......................................K.........]...........d.............o...".o...?.o.....o...}.o.....o.....o.....o.....h...-.o.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):99368
                                                                                                                                                                                                                                      Entropy (8bit):6.23639961491798
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:qnDoXrtUaK/XIg+rZAXj8s9HaWt9LuOw9VHHV55aTwWbaD763fJ:CitRK/XIgIZAXjD96WfLtGdM5baDC
                                                                                                                                                                                                                                      MD5:4CBAE74F248C3612DED81C2750580F91
                                                                                                                                                                                                                                      SHA1:6C0BE7421FDDEF471857829BEDB1E784C0876C95
                                                                                                                                                                                                                                      SHA-256:090AE8D4CA0932EFDBA54F21062FEFF98AE780C849F28512EE70007521550EA6
                                                                                                                                                                                                                                      SHA-512:ECA366B2A8C7918F4E165B21294929A5F4DC3A87593E43C6826C932F74DCCC4BF26BAE728CBCCAF3973E0ED47BC56A67DF8FF96D8EFE476830F4D73F7DF7D4F9
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v.#..........." ..0..R...........o... ........... ..............................n.....`..................................o..O....................\..((...........n..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc................T..............@..@.reloc...............Z..............@..B.................o......H.......4................e.. ....n........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.852040403345325
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:CxGxIZWJjW5bPfNyby2sE9jBF6IYiYF85S35IVnxGUHFykNoc0xPex:C6oWJjWN3Nyb8E9VF6IYijSJIVxukycJ
                                                                                                                                                                                                                                      MD5:D917DEA96F5B910E68D1F79E37B2DD91
                                                                                                                                                                                                                                      SHA1:24F89EED7B3DE4C5E5544F00C738DE7A1EDD9805
                                                                                                                                                                                                                                      SHA-256:2FC20781034A391AC60F35C94B3DB22383B7BFD17430BECF43460321566B0500
                                                                                                                                                                                                                                      SHA-512:BD575B68678242BFC301D77807507180477572F8A23BA6341E60B12322FB85776540939D156CBBEE0377F2108FACE44AFF45F74D51F97D78FB7B941B0DDC1A23
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................R.....@.................................H(..O....@..p...............((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................|(......H.......P ..@....................&......................................BSJB............v4.0.30319......l...|...#~......(...#Strings............#US.........#GUID...$.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.$...C.?...K._...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15912
                                                                                                                                                                                                                                      Entropy (8bit):6.771448960937668
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:Cqk53/hW3fZ+zWqyNyb8E9VF6IYijSJIVxjpbu:Cqk53MmSEpYi60pu
                                                                                                                                                                                                                                      MD5:7D50A7135BBAA5223A1F9295D134B3F5
                                                                                                                                                                                                                                      SHA1:64EA8C06AC68779CE21B1E45ABAF0155FBCAFF74
                                                                                                                                                                                                                                      SHA-256:14BB9215B0C82D2EABA0A76CC11B0E81D45426F43CE201F064137A182F174B68
                                                                                                                                                                                                                                      SHA-512:DC2AC7152A217D438FE03749DFF22005E671ED633462CFD16D2EC2643FB4CD91D2C0890EAEA5954D704792BE227BFC072CCD0073FA147585EDC6BE21B4686FCD
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............**... ...@....... ....................................@..................................)..O....@..0...............((...`.......(............................................... ............... ..H............text...0.... ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................*......H.......P ...................... (......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................j.q.........~.................}.....3.....L.................g.....P...................k.....k.....k...).k...1.k...9.k...A.k...I.k...Q.k...Y.k...a.k...i.k...q.k.......................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):17960
                                                                                                                                                                                                                                      Entropy (8bit):6.658255217483959
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:KFCc4Y4OJWfOWqWWOW7yNyb8E9VF6IYijSJIVxwOeQghm:6CcyCrSEpYi60Jj
                                                                                                                                                                                                                                      MD5:541DD5FFC4E27C42B4510B20C7795763
                                                                                                                                                                                                                                      SHA1:7A964AE8F8436D7D1B37774DE2CA0540B7785CB2
                                                                                                                                                                                                                                      SHA-256:464341BE8209BE8A36F6FC5A1943408C3216F66D84D4410ED94689EFB1848920
                                                                                                                                                                                                                                      SHA-512:F9690EB8C675829E194A0E8A4324843B683C28B4B3DE722C9099596202843161C98A013FE747A582C4EA47D72A5FB91DF7AC4548A393088B6F403A6B5338D6BF
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............N.... ...@....... ..............................).....@..................................-..O....@..................((...`......L-............................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0.......H........ ..4....................,......................................F.(....~....(....*6.o.....(....*6.o..........**.o.......*.~....*.~....*.BSJB............v4.0.30319......l.......#~..<.......#Strings.... .......#US.(.......#GUID...8.......#Blob...........GU.........3..................................................8.........*.h...m.h.....Z.....$...........Z...+.|.....Z...1.Z.....$.....$.......3.D.......|...F.|...c.|.....|.....|.....|.....|.....|.....Z...I.|...}.Z.....Z.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.8738938766861075
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:dAWxMWxiNyb8E9VF6IYijSJIVxMPtrWU/w4:dvjiEpYi604rRY4
                                                                                                                                                                                                                                      MD5:5C01326F7B286C2DBBECB385A53395EE
                                                                                                                                                                                                                                      SHA1:DFEFC096F4DE4FAE01B4B7B19CC05AEF2283A59E
                                                                                                                                                                                                                                      SHA-256:29A698BEEBD5BA52CC04FE7B7A22928E90E006A7885A1F10EB2E1A6665511F54
                                                                                                                                                                                                                                      SHA-512:EAC153B33457347BA56CD53ECB11CEE297C503D792A6BC3DA8AF5BF8E2E4AE3D4356C460CD68F345E7EA673F37ACD847E8B623D03E416F80794C0BEED1FA066B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................i.....@..................................(..O....@..................((...`......L'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..|....................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....D.......#US.H.......#GUID...X...$...#Blob......................3......................................z...........!...\.!...0.....A.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.,...C.G...K.g...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.856217266564335
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:rYqArxbYWHaW5oPINyby2sE9jBF6IYiYF85S35IVnxGUHF2zfxGo6Dah:jAlcWHaWOQNyb8E9VF6IYijSJIVxyoLS
                                                                                                                                                                                                                                      MD5:8EAF10A4BE6CF9FCFB560BE7BF63FBEB
                                                                                                                                                                                                                                      SHA1:F20ABB136959EF3F40B82E712587983C13C8CF22
                                                                                                                                                                                                                                      SHA-256:66A83605AF8E8462FAC61948656D7300C9EAD82CA230B0D45FA7AC81B2DE9124
                                                                                                                                                                                                                                      SHA-512:588293D6043892C0DC1A46214BC4398E8C2513CB2C46B91CE9C996815083BFA25D9246089676F3ABA00F951B8A2937C1CBE83D808A72C49CB2B1FA71130CEEA7
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................%....@..................................(..O....@.. ...............((...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......|...#Strings....p.......#US.t.......#GUID...........#Blob......................3............................................................`.....1.....t.................s.....).....B.................].........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15912
                                                                                                                                                                                                                                      Entropy (8bit):6.7775085279315626
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:1eIZnWlNWTaNyb8E9VF6IYijSJIVxpcstKT:kUyo6EpYi60Po
                                                                                                                                                                                                                                      MD5:20430B56AF201F3DF8DC7ADD77C700DF
                                                                                                                                                                                                                                      SHA1:B4D021243BEEE7CD50AB7885ABBF15F0BF530578
                                                                                                                                                                                                                                      SHA-256:EB04AC7564191B2CBFE425BF0E1C5AFAFDD56E95EF43410B46849B859C607FCB
                                                                                                                                                                                                                                      SHA-512:CEA66D7B73E25725696D5B46E1BB3D26280B15A7DB665AF6FAD75685D41D6A759291732559D7D95E9F99140AAC29C94F0393FD9A22084C6C20C347E55DBA560B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............2*... ...@....... ...............................:....@..................................)..O....@..P...............((...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...\...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................t...................................=.....V.................q.....Z...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):25640
                                                                                                                                                                                                                                      Entropy (8bit):6.492795908704385
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:7lQnCMi33333333kj8xe+5PTYM3zUy+CezHjzgKj0uRWOdWmWJdWZ+Nyb8E9VF65:JQq33333333kX+TBi8OGEpYi60/k
                                                                                                                                                                                                                                      MD5:BAC4ED28712BC3D20E634372041074CC
                                                                                                                                                                                                                                      SHA1:3035E7EBB1B7D9830FD3711231276506A8B5B59D
                                                                                                                                                                                                                                      SHA-256:DC70596E0963C1256F437BCC4EE6529A7B97119C2484845498B142EB4A18A921
                                                                                                                                                                                                                                      SHA-512:5D6D4F42FD3DE579874DA7B39569B00F3A9DECD12759929DE58AD9D1A436DE787AB0EA5D67FD6C1D6558463E7B47A1222F23F67A3182E1A7E8AA172DCD23A71A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............RM... ...`....... ....................................@..................................L..O....`..x............<..((..........PL............................................... ............... ..H............text...X-... ...................... ..`.rsrc...x....`.......0..............@..@.reloc...............:..............@..B................3M......H.......8*...!...................K.......................................0..H........(.....-.r...ps....z.-.r...ps....z.(......}......(#...}.....{.....o....*"..(....*....0..Z.............%.r#..p.%..{.....%.rA..p.%..{..........%.rS..p.%..{....l.{....l[...ra..p(.....(....*&...{....*.0..4.................}......+....{.....".......X.....{.....i2.*.0..k..........{........{..........."....(.......X....{.....i.0%.(..........(.....(.......,..(........"....3.....}....*.......=..M......

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.848738207274033
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:728YFlXulWY/WGONyb8E9VF6IYijSJIVxKD9IPGp:70qX2EpYi60Tm
                                                                                                                                                                                                                                      MD5:C1B2DE83AEF8C5E20E17941C4999C314
                                                                                                                                                                                                                                      SHA1:20F7DCF53F0B030E70C84DF4E4277C93DFF6B6AA
                                                                                                                                                                                                                                      SHA-256:7060B1D86EF099D021D16A649DE7137D8517C5E554E1F44B41173CA8B9994D73
                                                                                                                                                                                                                                      SHA-512:3610FB8097A6A29529DD5E21D2BC8E7A3CBB18D2BE071FBE198308B3242D5EA6429BDAD47363D5BAE862F5FF837D0E2DAFB779CB9002E08D55D0E45A0FD13BAE
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................A....@..................................(..O....@.. ...............((...`......t'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~..,...P...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................~.....R..... .....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16424
                                                                                                                                                                                                                                      Entropy (8bit):6.72671079918751
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:duMLcdQ5MW9MWYONyb8E9VF6IYijSJIVx3EDQL:8OcSpS2EpYi60K+
                                                                                                                                                                                                                                      MD5:A0D4D09BE1D6009408C6EB7E93768012
                                                                                                                                                                                                                                      SHA1:4C1BDC43B169CDB2869C1C98DFE9A91EB15633D9
                                                                                                                                                                                                                                      SHA-256:4B9138560B475B50BCBFCBD348A82CBF258E9886682CC05EA33BE2CBF0A03F48
                                                                                                                                                                                                                                      SHA-512:7CEABCF983852EC62CFAE6C739092E09EC44FE7AB3904E248AA9DBA83F7BBD61E1DBF817BF92B4D59E3EA638A7271E5F3F63E614E93FCA123F21AAC25220AA37
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............,... ...@....... ...................................@..................................+..O....@..................((...`.......*............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l.......#~..p...0...#Strings............#US.........#GUID...........#Blob......................3................................................;.........................$.....$.....$.....$...[.$...t.$.....$.....$.........g.$.....#...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15912
                                                                                                                                                                                                                                      Entropy (8bit):6.817024517717208
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:sZ7RqXWDRqlRqj0RqFWqENyb8E9VF6IYijSJIVxVaJrCC:Q9qKqjqjuq5kEpYi60KCC
                                                                                                                                                                                                                                      MD5:37F1EF0A6AA2466C2F554504C53C2D10
                                                                                                                                                                                                                                      SHA1:31DD8D50CBE9C4595A7CC7D7815BA428227E9892
                                                                                                                                                                                                                                      SHA-256:F79DC628564995DEEE92F105511FD82E8B3CA3929B6D67529730833DAE6C4E9F
                                                                                                                                                                                                                                      SHA-512:0022E149D9CE976D56687781461E604759E0BC36E46E4D6A9B003F8F22ABB76B11B1CDD4E06A2718B1247C7BBA4AF15A94AC91F6FA43A9AAFA396FE993BF6301
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ...............................Q....@.................................X*..O....@..P...............((...`...... )............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ..P....................(......................................BSJB............v4.0.30319......l...L...#~......l...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0.....%.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):20008
                                                                                                                                                                                                                                      Entropy (8bit):6.628825890980245
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:YNBMbljRC+lgfS1RPWYR1Rw0R9WYRPWYRDRj0R9W7eNyb8E9VF6IYijSJIVx3dU2:YvMhF2SzNzwu/NljuQmEpYi6022
                                                                                                                                                                                                                                      MD5:0F8AD89B93E9F4127DCB11B4F391AD46
                                                                                                                                                                                                                                      SHA1:CD0374B06A4C3962F4E3FE177907059FE7EDC2C9
                                                                                                                                                                                                                                      SHA-256:BC753E8BC6A07731B5BF2D5663150CD4691B322A04D82CC53A3E64FCA8D55FDF
                                                                                                                                                                                                                                      SHA-512:6ED91FC9F2CCF9369BB6BC952035012AA5D5C5BA93A61CF98306E9E9DF843EAF8CCF0A6115C172D0A56B50BC2B5DCDBA5ED8A57CAD7D26C6E653C46976FFBCCE
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............6... ...@....... ...................................@.................................a6..O....@...............&..((...`.......5............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................6......H........"..H............4......(5........................................o....*"..o....*..o....*"..o....*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*...0..K........-.r1..ps....z. ...@3.(....*. ....3.(....*. ...._,.(....rI..ps..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.898261756295843
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:1Z4RLWdRfRJ0RZWDeNyb8E9VF6IYijSJIVxlydN:1ZK0pJuImEpYi60oP
                                                                                                                                                                                                                                      MD5:292641CBE4EFE988E1D56A5245503090
                                                                                                                                                                                                                                      SHA1:CDCC2464376F76994BABD97BF2A17A7D302E0153
                                                                                                                                                                                                                                      SHA-256:DB686D7BCAAB90B5117C320CD799B9725773A764CBA52A78797ED3CBAE22BA54
                                                                                                                                                                                                                                      SHA-512:821DCF439AC3C0C4A1DDABE1CF40B0FA0E6660940F7F9B585F23E21A4B5D2BFB809A38F1549397250A4733BC0E1FD42B12FC74A5D66BEE3942F2E7C23A07F7F6
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................5t....@..................................)..O....@..................((...`......h(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3......................................................m.....A.{.........U.................T...........#.....l...........>.....'...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.796379783430149
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:NYWsmWIyNyb8E9VF6IYijSJIVx39mFdcmx:N2wSEpYi60Qwmx
                                                                                                                                                                                                                                      MD5:144114AEF753E8A677B4B2B8C4CC5BA4
                                                                                                                                                                                                                                      SHA1:827364BEC24CFBD5FF52B1A0797BA3981E520FFB
                                                                                                                                                                                                                                      SHA-256:07F2FD794258FAADAE4BBAE88B5C4C5A840F108087DEF92C970233D3D8AE8858
                                                                                                                                                                                                                                      SHA-512:D3D7D4CF244B64787244C0547F4810C64B5B1A5FD7017FF215A68561C30DD609ED70B2BC81844996FD16D4064D88EF175CDFA63489622B4D72358B88D42E2A27
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............*(... ...@....... ...............................\....@..................................'..O....@..@...............((...`.......&............................................... ............... ..H............text...0.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ...................... &......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................z.....N.....".....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........:.....C.....b...#.k...+.k...3.k...;.....C.....K.....S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):105000
                                                                                                                                                                                                                                      Entropy (8bit):6.3817920096587635
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:qvc/U5yNq2oS4Zd0LE3YigSFvhoZO2K3aAYH2TfXmNoJXBA760:mgk1tiLMYiDFvxqrWDWNoJXBAv
                                                                                                                                                                                                                                      MD5:8DDFC9B1361578BDD5612ACC51313DA6
                                                                                                                                                                                                                                      SHA1:630346D2670DE69362A3267DAE11EA6726003559
                                                                                                                                                                                                                                      SHA-256:647D5BFA5108E79A1E1738C34C321088E7B8F30366881D94695DF52E547FADC9
                                                                                                                                                                                                                                      SHA-512:F4B3AD4BD7C049C0F5D4408BB4834936E3EB5ECEE139F426F32704D40201EA75BCADF6B6EB32FE79B9F8AD1D609D739D2638E45693D5A8A55CFD933173A1FA7B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..d...........W... ........... .............................._P....@.................................5W..O....................r..((...........V............................................... ............... ..H............text....b... ...d.................. ..`.rsrc................f..............@..@.reloc...............p..............@..B................iW......H........................9.......V......................................j~....%-.&(I...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r7..p.(....*2rs..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r=..p.(....*2r_..p.(....*2r...p.(....*2r...p.(....*2r...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.855234936441404
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:dKcuz1W1cWliNyb8E9VF6IYijSJIVxLnKXE:Xu8niEpYi60b/
                                                                                                                                                                                                                                      MD5:054FDA357AAC158ABB7DCB603E618468
                                                                                                                                                                                                                                      SHA1:30D78707EB7ED4B135A3DCC0D2789EF34EE5008B
                                                                                                                                                                                                                                      SHA-256:D690AFCD79AB3F1E8FE0F87922A694F1207F23E7AF74B9D507CB0719B71E6162
                                                                                                                                                                                                                                      SHA-512:91C419A37778A608310C1FFA4459942A2E64B8FEE8B03192D0AB78D879F52525CF37B5E2D31178A4C14FBD8BC58238127D275EF7FBCC18148FD48535E9B5C41B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................m#....@..................................(..O....@..P...............((...`......H'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..x....................&......................................BSJB............v4.0.30319......l.......#~......H...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................................p.....D.....9.....X.................W...........&.....o...........A.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.859586983074765
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:c+SWikW0uNyb8E9VF6IYijSJIVxAd5iwp:c+eGWEpYi60Cdp
                                                                                                                                                                                                                                      MD5:6A9CCA0177140202310B5E38CA0C8FF4
                                                                                                                                                                                                                                      SHA1:6443604982F8F9A3E1B5D713DB1E52D401CC0F52
                                                                                                                                                                                                                                      SHA-256:F6B1EE80B31CC0383A6C4F7116BB84EBB41CFDD5AACEB43986308A146077F381
                                                                                                                                                                                                                                      SHA-512:D34427448ADCFA0B140BA777FE0EF266AD04843C3848EA8EA238BA457EDFF2C1023E7E891A811433491A60B2834BAE734656D764B0F2FB55C6632517D1200BA9
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..P...............((...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....h.......#US.l.......#GUID...|.......#Blob......................3......................................................y.....M...........a.................`.........../.....x...........J.....3...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.907435412972442
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:pDxxhREWzgW5APUNyby2sE9jBF6IYiYF85S35IVnxGUHF76am939Ys:FAWzgWSsNyb8E9VF6IYijSJIVxXm+s
                                                                                                                                                                                                                                      MD5:8A94A3BFDE0A59D784A3408F43D7714E
                                                                                                                                                                                                                                      SHA1:CE74C4C089A298FB2E53DB905E938ED866FD7CCC
                                                                                                                                                                                                                                      SHA-256:266EEB7F43B68684C44E1926593F5F4DEAFD5048BC552835152DC9649E738F9E
                                                                                                                                                                                                                                      SHA-512:4015E73F7C7099BEF4E2961A1AACD1F3AC25C99B54F92632E94DE0B3AB4F19E0144CDC5B06A56029A73C2A6644CDC990D2A11CA2BB5D5F31E92B6E07712CA4F8
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................4....@.................................p)..O....@..@...............((...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................C...f.C...:.0...c.....N.................M.................e...........7..... ...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.863130152483049
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:6BLRWbYWziZNyb8E9VF6IYijSJIVx7cHr:6B2xi9EpYi60YL
                                                                                                                                                                                                                                      MD5:878FED5CA4CBAA9282B1EB608C2312CC
                                                                                                                                                                                                                                      SHA1:D07131A22C8E51830D64607EA61A71FD0064A78E
                                                                                                                                                                                                                                      SHA-256:91850B2A878630B4F96CF6B5D5695361BDA4D3E57A8589C8FB68CFF75FF3B761
                                                                                                                                                                                                                                      SHA-512:631EC942C1FDF73C016694B345609B9D821A427E79D4190A21A12442C65650E793E74B2247978B23DE97D1109D885AD1C5F7031D18B7502B01E298355828272D
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............b)... ...@....... ....................................@..................................)..O....@..................((...`.......'............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................D)......H.......P ......................X'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US.........#GUID...........#Blob......................3................................................../...z./...N.....O.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.85257775718915
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:hZxcMRW4/W5TPPNyby2sE9jBF6IYiYF85S35IVnxGUHFyF5yzli:5HW4/W1HNyb8E9VF6IYijSJIVx+qU
                                                                                                                                                                                                                                      MD5:4D61CCEF5CC2784846B379DE467BFCF7
                                                                                                                                                                                                                                      SHA1:0F1A10F294CD97FB5B21CBFABE7D41A060F9DD38
                                                                                                                                                                                                                                      SHA-256:E2E5B92DFA1195E2DD1DBD15D8E4C36365862C33105BCFF7E84CFA72F90CE512
                                                                                                                                                                                                                                      SHA-512:969F11D0DEEE273AD68BC3C9B7224A3E38BA227077B0760332C7D603761A12594DD66338C58A08D798A67F00F91861CE104E792BAAA7D4014CC2304EB177EBFE
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................C.....@..................................(..O....@.. ...............((...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......\...#Strings....`.......#US.d.......#GUID...t.......#Blob......................3..................................................+.....+...^.....K.....r.................q.....'.....@.................[.....D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.909083241813673
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:/vk7hWmCWKpNyb8E9VF6IYijSJIVxug1fV:/s7/GtEpYi60HV
                                                                                                                                                                                                                                      MD5:99D608EA299DB1E5E927AF7AD6F0D364
                                                                                                                                                                                                                                      SHA1:E2625E44AEC5D3D2C53826E2B31A64AA54DF4C46
                                                                                                                                                                                                                                      SHA-256:9711D1D2173CA18175118B8BBBC656BE11E18702EAC0047F6195889C60032BDF
                                                                                                                                                                                                                                      SHA-512:80B8FC43E2F41649F19DFE954F2DD3FBA6CAFCE72AAAB4F0832017D672BCC93EA6E7187BD23056C256DEFF3150315789140B68336752042E34969ABC4F0EB70F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...............................:....@.................................h)..O....@..0...............((...`......0(............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................)......H.......P ..`....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....8.......#US.<.......#GUID...L.......#Blob......................3................................................ .C.....C...w.0...c.............................@.....Y.................t.....]...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.8725581182244815
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:pUiW2xf+C/WCUW5wP5Nyby2sE9jBF6IYiYF85S35IVnxGUHFLZiDSj+2m:fGMWCUWiBNyb8E9VF6IYijSJIVxR5q2m
                                                                                                                                                                                                                                      MD5:827CC9E1385DEE08EB88BA4F82A8D037
                                                                                                                                                                                                                                      SHA1:1F4FD3E05F15B1CEF11222EF9FB0E7278D7FF0D8
                                                                                                                                                                                                                                      SHA-256:EE7208B11C25F2244F73C4C7FE84634E283CABFA3BF3F8AA8231FEAB8806B32D
                                                                                                                                                                                                                                      SHA-512:D42CA3E72BF359CB8120051414D554A89A8D8E6E8D2463CE3684CFB32977F5437EB5FEDDA5A08080130DD24170BE8CE93F9CE4ACB9307D878B2C2C1CECCB37DD
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................Kp....@.................................@)..O....@..................((...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................t)......H.......P ..8....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US. .......#GUID...0.......#Blob......................3..................................................].....]...T.J...}.....h.$.....$.....$...g.$.....$...6.$.....$.....$...Q.....:.$.................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.852073911727644
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:1BhwI7WSQWEQNyb8E9VF6IYijSJIVxCtgRyl:1DwIBSoEpYi60a
                                                                                                                                                                                                                                      MD5:96CC4DB802A18A19C634362EA07BF0CA
                                                                                                                                                                                                                                      SHA1:5E73A7D50926A20ADF21C5A681CFD88E6782E36A
                                                                                                                                                                                                                                      SHA-256:2C36B9CE0C5B3D2BD1437FA57DFCFE7E8C13BBA014BBAFD6895736A6654704C3
                                                                                                                                                                                                                                      SHA-512:442D514BADBDFD84F67A1B5CC5C653F6EBF49A951657FED8C7BDFBD4D453D82AE9A3E3845BF3BEAA6B4380FA7E45E5531E6594BC3673788199C79FC7119EE884
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................V....@.................................l(..O....@..P...............((...`......4'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..d....................&......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................f.....:.....2.....N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.870125259512271
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:FyvPRW4lWvKNyb8E9VF6IYijSJIVxnKq3u:s39oKEpYi60Fu
                                                                                                                                                                                                                                      MD5:E86EF319DCB1A0C3A1C980B8179C28DF
                                                                                                                                                                                                                                      SHA1:B7B384331A1F5A4ED7A1EB64B93A50D3D99543BA
                                                                                                                                                                                                                                      SHA-256:CDF9D59E281EAD07334BAEDF6F929AA27AB968B7121B53EEE2406EADEFE901C3
                                                                                                                                                                                                                                      SHA-512:A76AB5FB097CDCF658F4645AF58F4B9F4CE9B5B14683A7B2463598692D7835D969A0AB7C387CC96D9EEABE095E4223B40FA1EE8BD840F83144AC0B5818BBBF5A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................'.....@..................................)..O....@..................((...`......l(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................f.....:...........N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.&...K.F...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16424
                                                                                                                                                                                                                                      Entropy (8bit):6.821263452437729
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:r6RW6eWX8Nyb8E9VF6IYijSJIVxiAcn/A:r67XcEpYi601c/A
                                                                                                                                                                                                                                      MD5:5DE19C03111BAC441546E09C0986FFB8
                                                                                                                                                                                                                                      SHA1:73A84A9DBB2C687D7B98675391F17919BE4A0E2D
                                                                                                                                                                                                                                      SHA-256:E8B6180145EB52C8357A15E71EDC4F4A3CB103E2C9E3CA39DEF0837C25486FF4
                                                                                                                                                                                                                                      SHA-512:8A3B551E5D14A05A4DA4D244FA8BF285C5FBEC7B5D613EC5B8AB73F4EF90D7F6AC4DFBF1AF206D8C4FACFA115AA03531660C8E39535315F3B680F72F7D34DCB9
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............-... ...@....... ...............................]....@..................................-..O....@..................((...`......P,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................+......................................BSJB............v4.0.30319......l.......#~..\.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3......................................5.........c.............z...............(.....E.....................................Q.........../...........b.....b.....b...).b...1.b...9.b...A.b...I.b...Q.b...Y.b...a.b...i.b...q.b.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.853696719137859
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:cSUP9W70WxhNyb8E9VF6IYijSJIVxu17pF:5Ue/lEpYi600FF
                                                                                                                                                                                                                                      MD5:18E7320ADED59C532DD1093BB36A47E3
                                                                                                                                                                                                                                      SHA1:321C5DEEBE109D276BC9BA37FC0427AF1BEAE560
                                                                                                                                                                                                                                      SHA-256:83415D3468C938305AAA415D4CFAB000A256942414F04C461416E2C160BCDB6A
                                                                                                                                                                                                                                      SHA-512:18519422D60ECA9255CDD896010A2698C6055FB19F82E26CE678D08A5A00B2CA86B0438B8EF175825B7B27948A41C28D6157AEBE366341EC13ED6B8569589866
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................l.....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...x...#Strings............#US.........#GUID...........#Blob......................3..................................................&.....&...p.....F.............................9.....R.................m.....V...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.847671491882663
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:m8yg07W0/WtTNyb8E9VF6IYijSJIVx/oOGL:mBHEPEpYi60AzL
                                                                                                                                                                                                                                      MD5:4631C3F56A7B9031F7543E6814C16B8D
                                                                                                                                                                                                                                      SHA1:3C5779DB0C60BE02444DD8747DD3B4A2CE37A1E3
                                                                                                                                                                                                                                      SHA-256:D3AA1A71FA76EA5DDB353E1CC5180779DB3226122552CF5A621A2F72142D539D
                                                                                                                                                                                                                                      SHA-512:82B24C7F8E2A876F839C0591E5FCA75472E7EBDDC1B354495C3F7CDFC8757F10C9DA7DE08BECA4A83570665C47281AC7700345EC0FDE03D0B90188BE869FC169
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................W.....@..................................(..O....@..................((...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...d...#Strings............#US.........#GUID...........#Blob......................3.................................................."....."...m.....B.............................6.....O.................j.....S.......(...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.817049710176357
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:we1WmRWgFNyb8E9VF6IYijSJIVxakgDjo:wejjBEpYi603l
                                                                                                                                                                                                                                      MD5:2CAF5C21FCBF0230D9483F1FCA73E172
                                                                                                                                                                                                                                      SHA1:F764EFFA55A81B03177BCE950034C683E45E086D
                                                                                                                                                                                                                                      SHA-256:F3B140DFBF9255AC57327672D3EF85DA904B79C50D518EE51306C6A4CCDB7DCB
                                                                                                                                                                                                                                      SHA-512:A09B873E6EBB483DE70D7AEA322B3F9EA6190945FDA674D8BE7CBC33DCF09DE27507F7A336CD346E026C68B61DB37C8C8C5CAA6276B9946936C1F5C6863A7FEE
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................2.....@.................................p(..O....@..................((...`......8'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..h....................&......................................BSJB............v4.0.30319......l.......#~.. ...0...#Strings....P.......#US.T.......#GUID...d.......#Blob......................3............................................................f...........z.................y...../.....H.................c.....L.......,...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.(...K.H...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):142376
                                                                                                                                                                                                                                      Entropy (8bit):6.160416111190502
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:mUGrszKKLBFa9DvrJGeesIf3afNs2AldfIlqg:RBFd3/aFs29
                                                                                                                                                                                                                                      MD5:401E4D347BD255E0BB8DDE6FB0B9C1B4
                                                                                                                                                                                                                                      SHA1:FB06977AB97D10368872DBC07EDF0EF5F7FAC2E5
                                                                                                                                                                                                                                      SHA-256:EEBF2B7039D66E279C867C4FA6A52992C03D4471B02CBB5482B25330CC9D0AC5
                                                                                                                                                                                                                                      SHA-512:C8AFF36074FA5A074322B2631D8966101EFB8BA8CC9E90751985CC7822F5403E7B3F2516FB95FCF3DFB2B6575C5E856CDC77AD2D3CE413399C5A650EA245212F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......Iu....@.................................X...O.... ..0...............((...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):192552
                                                                                                                                                                                                                                      Entropy (8bit):6.1145313432038435
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:zeruQlNGOhYq0AQcTvankc+8lbKta4FUPAT8xpRI454I/Kv6RpZ8dwPSgSbG:OW60VcTvakcXcApOW
                                                                                                                                                                                                                                      MD5:D3E5C0965EAA22ABF7983475E0D1BDD6
                                                                                                                                                                                                                                      SHA1:3A38A616388260BA9063FF0A8DEC1F5F79C35167
                                                                                                                                                                                                                                      SHA-256:317C9D83B5CF920086FAAC9F3958ADE2DA011CC3BE3C2D26AC29D98A471A256E
                                                                                                                                                                                                                                      SHA-512:447AB3090F482799F87FEDD2903512C8DE3D50AA81F7DB201883789D35C73C3DD67DBACBAD3F190D6EEA46F81FCEF15233484E8BC16AF768201D3AAE50AE2B25
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.................. ........... ....................... ......aC....@.....................................O.......h...............((........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................H........$..H...........$....,...........................................0..,........ ....1.r...ps0...z.............(.....s1...*.0..l........J.2..J.o2...2.r...ps0...z..Jo3....%36.o2....JY.2*..J.Xo3.....J.Xo3...(...... ........J.XT.*...J...XT.o3...*..o2....Y./..*..o3....%3 ...Xo3......Xo3...(.... .......*.*..0..=..........J...XT..%....J...XT.~..... ...._.c.....J...XT.~......._..*....0............02...91...A2...F1...a2...f1. ....*..91...F1...aY+...AY..X+...0Y...02...91...A2...F

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.8352214136086555
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:06ZWYLWBwNyb8E9VF6IYijSJIVxNNLD3Nqi:06l4IEpYi605qi
                                                                                                                                                                                                                                      MD5:FDE1F464939CB2FA8F1FEC631AF3CF0E
                                                                                                                                                                                                                                      SHA1:B62ADCBE2A59A559F9610FFDF3DEA3B434EB17D8
                                                                                                                                                                                                                                      SHA-256:694FC622E3460D03502B2A8BF8BD2FFCC5358117297DDAB006D6ADE71CE07332
                                                                                                                                                                                                                                      SHA-512:EC2F1E08CC1EF0B78573766DC0C7F454D00A3BCCCF96EE972FB6A99EA1DA7AACCC82187F4D5AB6F1E6A23BFFBC8403E9D7D0EBA30535DD9D54350E878AA94E3B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...................................@.................................T(..O....@.. ...............((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......0...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16424
                                                                                                                                                                                                                                      Entropy (8bit):6.792745535380218
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:n1W1WMQWkMNyb8E9VF6IYijSJIVxuHjg4:o1yMEpYi60un
                                                                                                                                                                                                                                      MD5:4B018741B464AED29724E31FE593A2F0
                                                                                                                                                                                                                                      SHA1:435143DFD60DA9C7A3839B0AF6C0EEC9E6D72531
                                                                                                                                                                                                                                      SHA-256:27A83893C71285085B9334678212FEFCE779CD3E877F8232B90FF61A2AD2E8E1
                                                                                                                                                                                                                                      SHA-512:C542ECF9A11CECBA69FEFA791C7DCD18E6D0436E6D9F0C164FF50A4D2564A317890EC23C2B588AD6B8441551B6BF046D2D714CF484D71978DBDA75034861BDF2
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............,... ...@....... ..............................z.....@..................................,..O....@..@...............((...`......p+............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....t.......#US.x.......#GUID...........#Blob......................3................................!...............E.................%.................'...........e.....~...........................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.832665685039471
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:JQ/rx72WSKW5TPZNyby2sE9jBF6IYiYF85S35IVnxGUHFA/P6iMYRh9:6dSWSKW1BNyb8E9VF6IYijSJIVxsbMq/
                                                                                                                                                                                                                                      MD5:51835E547CFCAEDCD46D41A916007337
                                                                                                                                                                                                                                      SHA1:027AF2DA308C20BFECFE01D6925F15677658B9ED
                                                                                                                                                                                                                                      SHA-256:E0D868F38EA149A2256491A2067E7C1EB21A9CBE68FD018A7EAA2D65E8C6F5B4
                                                                                                                                                                                                                                      SHA-512:6FA395D0B6B230B96A0263BA005A5E6518CA96E6785BBC964D75108CD9C3E58670B9CEEA2BC11188F1FD4CDA1C2A03A63F3E9C12A84AAB233BDEDBE0EF8149F0
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................4....@..................................(..O....@..................((...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...L...#Strings....l.......#US.p.......#GUID...........#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16424
                                                                                                                                                                                                                                      Entropy (8bit):6.7476634745054485
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:XJEYA2WkIWcqNyb8E9VF6IYijSJIVx1IZ22zG:XyYA8CqEpYi60+Zu
                                                                                                                                                                                                                                      MD5:2B512D2A20AA68D1F8AA686BF246F15B
                                                                                                                                                                                                                                      SHA1:D37F581A2DD9651E3A9F0D2B00D1275FE43F81EB
                                                                                                                                                                                                                                      SHA-256:D9B9A099BCB2D685BF4CAF9A04FA022D08AABE3CBBD04912FB9FFF73CCD162F6
                                                                                                                                                                                                                                      SHA-512:4C999BD5F20691AB4AB77015E34F0822076FB549A4B41495496AD8505FE6BC3A732DC1AAFDDC5FB6E576AA76AAD673D674A21C421D1FBB8791EB3D2CC4CFCD23
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ..............................!.....@................................. ,..O....@..................((...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l.......#~..|...x...#Strings............#US.........#GUID...........#Blob......................3......................................$.........N.U.....U.....-...u.................0...........n.........................>.......................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.8755777127592
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:hJGWe4WTYNyb8E9VF6IYijSJIVx5O3zCp:fmRQEpYi60tp
                                                                                                                                                                                                                                      MD5:671D536227E78B50106A0D293D9EF1AC
                                                                                                                                                                                                                                      SHA1:2B269A49DB0EBC5120EECB135AD96C78DDE1FEF9
                                                                                                                                                                                                                                      SHA-256:6C679EC299B4A95EDB26E8AB547BF78E351FBD75CFFAF40FB3E65F036DBF99B9
                                                                                                                                                                                                                                      SHA-512:5B2B63DB5E757B8ECB742F020DC62F0E239628DDC8A6874AB0E22D6F746F8BD4268E8544B39D7443E8FBD9456A341FD8BE8B333CCE0CF9819E6083CF533EB05A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...................................@.................................0)..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d)......H.......P ..(...................x'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings............#US.........#GUID...........#Blob......................3..................................................4...~.4...R.!...T.....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15912
                                                                                                                                                                                                                                      Entropy (8bit):6.785938093349042
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:IdW1w3WesWn3Nyb8E9VF6IYijSJIVxV4NN:R1wxd7EpYi60+j
                                                                                                                                                                                                                                      MD5:6945923300972B5EA47E0598706612C2
                                                                                                                                                                                                                                      SHA1:E5F2A7CF773248575B60E0C53012E028B674E19A
                                                                                                                                                                                                                                      SHA-256:BCC856A3826E500F74A5F6A6C26868D99049E41A8347C70090415FA2193A045C
                                                                                                                                                                                                                                      SHA-512:3505A8D5F660BA87380F6F7CE200CA5A26434502A1784BF4ADF6DC2D7AFD9DBF06C3E76B4BBBFFF2E96D27AB50D4483CD629348738FA51E6B8B6FE509AD08BB1
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............~*... ...@....... ...............................L....@.................................,*..O....@..................((...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`*......H.......P ..$...................t(......................................BSJB............v4.0.30319......l...$...#~......t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.<.....<.....<...C.<.....<.....<...[.<...x.<...-.......<.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):24616
                                                                                                                                                                                                                                      Entropy (8bit):6.595041169888453
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:0ylNGlfdqj5531HJTABhf8g2MkO1ICMbmiT2Y4Y3ocWS9sWvW8YsW1gNyb8E9VFh:0yp12Bhkg3qnV/srYEpYi60Rt
                                                                                                                                                                                                                                      MD5:FE7190348625EC55451232FC2D3FB595
                                                                                                                                                                                                                                      SHA1:D141B545D0F3D521DC980631858F1E4EDA517A5A
                                                                                                                                                                                                                                      SHA-256:89179D883E20AE9C91F902F7A97D2086D2F73AE4658C4AF10B98F88DDFB59664
                                                                                                                                                                                                                                      SHA-512:C9507147B018DC03D02A4F6E6706150F4ABAE1208163AFE6B24B36FB8618CAA21474661C424CFA0AA91B76573B4B73D2530014DC4EB67580D8F8FB495D9A2F66
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..*...........I... ...`....... ....................................@.................................gI..O....`...............8..((...........H............................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............6..............@..B.................I......H.......H(... ..................HH.......................................0..J.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%......o....*...0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..K.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%.......o...+*..0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..L.......(....~....%-.&~..........s....%.....~....%-.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.853316216137834
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:4HPAW1bWieNyb8E9VF6IYijSJIVxJ5RqR:8rTmEpYi604R
                                                                                                                                                                                                                                      MD5:376862D3F297321F423A4F28169DE6DB
                                                                                                                                                                                                                                      SHA1:4176FCCBFE1121ED76B86DE9FECC8C4FEEEFF827
                                                                                                                                                                                                                                      SHA-256:2E5DC554D21C726495799BD068C3FD882854FA533ECF7D366DE2B055B0C703B0
                                                                                                                                                                                                                                      SHA-512:E9185A15A4544659E22459084A7473884328F1C09BC087348768819FAD39A403F5C9948A571813F096D27FD2984CCBC7EE065E7A1F1FBDB02A7DD0DB9ADA6CF9
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..P...............((...`......P'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3......................................z...............\.....0.....3.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.853448956403336
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:J+TxwFqWD7W5/PtNyby2sE9jBF6IYiYF85S35IVnxGUHFCetddDAx:wNoqWD7WJlNyb8E9VF6IYijSJIVxeQ0x
                                                                                                                                                                                                                                      MD5:C4688280A8EB58E5AC6CDD201B202B06
                                                                                                                                                                                                                                      SHA1:F4A67D8693A1AFBC16BB40C21ED6BC3700EFE786
                                                                                                                                                                                                                                      SHA-256:C34591E43D225239F8804BC4E780B9C98FAA60FAC54AF18CF016AB1C952EBB5D
                                                                                                                                                                                                                                      SHA-512:E0BDBF8B6853D6539F5545819E07CE947BE860D8753C27EB8E9647649CEFC0ADD2A2FE1304FDF9BDE712D873162EA7556162A6F6438EB2CD582F9DADA949418E
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................|(..O....@..@...............((...`......D'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ..t....................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.864638231153108
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:FGETSAWUEWSWNyb8E9VF6IYijSJIVx6t0y/t:pT18+EpYi60O/t
                                                                                                                                                                                                                                      MD5:975F2775F87D6C08679BC41F033BF2AE
                                                                                                                                                                                                                                      SHA1:9B8441CB1201AB46C5E8CDC24D5370C0AA12F886
                                                                                                                                                                                                                                      SHA-256:8BA82BCD2E912A9E36E18F75390E18F4E6EA6FFEB170A4BD85028F20035D219F
                                                                                                                                                                                                                                      SHA-512:AB9A85D45D593FA7BF1F59196241B7BAB1CB81F0D17E3D72BC5C59BCE9E1D8D98EFE783A5981148D90F9260D9D70E0767DED7C3B8AD2599BDC4B890258B7DBBF
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............B)... ...@....... ....................................@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3............................................................T.....,.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):110120
                                                                                                                                                                                                                                      Entropy (8bit):5.5108128247654085
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:XPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/Yb76t:XWw0SUUKBM8aOUiiGw7qa9tK/Ybi
                                                                                                                                                                                                                                      MD5:7CB47D2C6D6A41F40B81FC86A91AE937
                                                                                                                                                                                                                                      SHA1:A82BCC7EE4A91A1D13C30FCC6A8FC91CCED08E29
                                                                                                                                                                                                                                      SHA-256:1F18D0E36EB23A81A4C399240F7DA7CC2A9823338920E677DD674417A4114D16
                                                                                                                                                                                                                                      SHA-512:8C36F363195CDB1F30A4FE3392045D18F884A9E91C8EBE2D78D6C5AAE6461D4EE28044D64C18C3EAC79B8C92C76E22446DFD26A73F07F329B65C1F4B9D751081
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ....................................@.................................f...O.......................((.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15912
                                                                                                                                                                                                                                      Entropy (8bit):6.848632194828129
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:acDagtDApWSKJWFrNyb8E9VF6IYijSJIVx4LsnrdU:aPKBKnEpYi60NrdU
                                                                                                                                                                                                                                      MD5:459770A3E8621ABB77D33F2CF1CBEDD6
                                                                                                                                                                                                                                      SHA1:D785E240353419EFF2DC457A696BC44C5A1AC1D3
                                                                                                                                                                                                                                      SHA-256:248F54212A62DFBCCA1F65E68902F7AFCBE474CCA2E87394646AAA6976DD0C08
                                                                                                                                                                                                                                      SHA-512:0EE526A89B7620E0EC6B98F0F21EC5DAA33A6F468131340E89EAF9486C699FA8EEC6FDEAA7F403FC80C836128A99E8BC2D4483E07D7D0D17F9B8C7B9F5FC3586
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............+... ...@....... ..............................E.....@.................................0+..O....@..................((...`.......)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d+......H.......P ..(...................x)......................................BSJB............v4.0.30319......l...x...#~......$...#Strings............#US.........#GUID...........#Blob......................3......................................x.........w.o.....o.....\...............<.....Y.................................................G...........V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.857847377763634
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:fIWD4WmiNyb8E9VF6IYijSJIVxM0r86kT:f1oiEpYi60rkT
                                                                                                                                                                                                                                      MD5:1F8B2D1E1E3A515E4117B5B240EA998F
                                                                                                                                                                                                                                      SHA1:ED2B96B4309561D3C5289A0C4990EA8B6A669259
                                                                                                                                                                                                                                      SHA-256:6018F6A293FDC80EDADA971BDD4E2D2439916AEBFE6D1104C83DBF49FFC7C9CF
                                                                                                                                                                                                                                      SHA-512:941D3172CFDB57667D0D730B9D12110E12852DE940C4A6BA0DA7E70C58CB289F8D08EE370E386D29370FEF95BFD5D35EC4E328B8AC46C67EDAFB98B9997F50B6
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................q....@..................................(..O....@..@...............((...`......\'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....d.......#US.h.......#GUID...x.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15912
                                                                                                                                                                                                                                      Entropy (8bit):6.785369657459982
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:cMWzQWc9Nyb8E9VF6IYijSJIVxN/J4BYxq:c5a5EpYi60pal
                                                                                                                                                                                                                                      MD5:915B94B573B35E3C06E639F591102885
                                                                                                                                                                                                                                      SHA1:FFB099716B4452496B0A93EEB343043B5B7F7103
                                                                                                                                                                                                                                      SHA-256:830AA899765E40B9AD26BB34B6F6AF1CB88219479A1FEA1CFD2DA77DC722990B
                                                                                                                                                                                                                                      SHA-512:5471391199163AC0953AEC472D1A46EC5F32128A2DEC93674AA188173F8D2F0BFDAA8CD2BCB193F9EE0BEBCE0CE4CB932AF19CA1E71804978F82F758EDA74DE4
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............N*... ...@....... ..............................L.....@..................................)..O....@..@...............((...`.......(............................................... ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................0*......H.......P ......................D(......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................z.....N.....:.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16424
                                                                                                                                                                                                                                      Entropy (8bit):6.724157119947449
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:QxDHKWAMWcpNyb8E9VF6IYijSJIVxlPKR0utc:YD8GtEpYi60Vcy
                                                                                                                                                                                                                                      MD5:F50876298DC3B563DA6826269B2B239F
                                                                                                                                                                                                                                      SHA1:FFC79793CDA43EEC70AB960AE14C6F78810A49BA
                                                                                                                                                                                                                                      SHA-256:91230D54EDC8A7055732CB03923BC8FF55E8A8EED938AE60C44A527D8863D45E
                                                                                                                                                                                                                                      SHA-512:5120E332688893DC089218F9482156190578723E5B394526BBD23BB2899A5DD82E576B5CF766A0B0C31A792DEA8C757AB05F5CC21C03F2AACCE358C7F7B05E1E
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ...................................@................................. ,..O....@..................((...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID...........#Blob......................3................................"...............1.............{.................................Q.....j.......................n...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.829404767120568
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:wLNBEW6pWx7Nyb8E9VF6IYijSJIVxdT1qe+2P:wbMSXEpYi60pdP
                                                                                                                                                                                                                                      MD5:AFE54DB9A896944978A9B7A11950DF04
                                                                                                                                                                                                                                      SHA1:D168B00E2F65A67620557F9812E62CB02B200691
                                                                                                                                                                                                                                      SHA-256:B5A910596D56F1082F4C3897DC6577331FC0C65E0F5919F45A9CE23D4BD748F1
                                                                                                                                                                                                                                      SHA-512:C0AF4591F27B22D3E8A02A753D91BDC066DC529F59A50A615EF6CF88AE2C793912EBC26C50D05C65376F3A036679B128D715482315A3EE87B95C44BC7831E156
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................O....@.................................D(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.886594331713788
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:uKkHKW/tWBpNyb8E9VF6IYijSJIVxkNKuTCOZ8s:TumtEpYi60Wl4s
                                                                                                                                                                                                                                      MD5:B5ED78D6C151FF528B8C1EA4FC01C264
                                                                                                                                                                                                                                      SHA1:66B94A030731A38D93E68D344334CD3DFC79A40D
                                                                                                                                                                                                                                      SHA-256:546783CAE29CD0ED62B742717CDCF601AFED16CC624CB1DA64914C09FBA7A44A
                                                                                                                                                                                                                                      SHA-512:B06AB4204B11F8EF780D8F4EAAB369C9B6F79A4099657C46714423F4B5A5C768201FB0764CECE7362A470415D25F3FF9A80B66C27389C1D1683AC67C7ED17F66
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..`...............((...`.......'............................................... ............... ..H............text...4.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................$'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................W.....W...R.D.........f.......................=.....V.....}...........q.........................>.....>.....>...).>...1.>...9.>...A.>...I.>...Q.>...Y.>...a.>...i.>...q.>.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.832440945277622
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:0LnfIWqrWx8Nyb8E9VF6IYijSJIVx7Dq1bbXVo8:0Df4ocEpYi60gbj28
                                                                                                                                                                                                                                      MD5:DAB87FC6FD24D8DC5AEC95AEBB6DF6ED
                                                                                                                                                                                                                                      SHA1:ED2B6FC9CBF4B412E0382D142A2D95D7E532BA26
                                                                                                                                                                                                                                      SHA-256:9D510D9EBF5BAEF6132BAA15263CD43285A745846CD49AD1F697CF75BDC81E24
                                                                                                                                                                                                                                      SHA-512:F9235636967AD0501F2A20E6A0B4BE42D46A40A04B0A6EFC16258C9C59B8F7846A629EF104EA78A2F0A1F28841AEA2BF8E50DDCC072D97506FA7CBBC6B5233F7
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................D(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):17960
                                                                                                                                                                                                                                      Entropy (8bit):6.67540834837691
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:Vh06sbbVVPWU2WYNNyb8E9VF6IYijSJIVxeBJEG:Vy9gpEpYi60At
                                                                                                                                                                                                                                      MD5:C6C2A4748A0358E5E117E5EA92A7A5CC
                                                                                                                                                                                                                                      SHA1:AFA829A0B7CFEB8FE1B4113CA9D315618825A9CE
                                                                                                                                                                                                                                      SHA-256:8C732D6FF6B7171E21E341EBB5DF403A0492F784D5865DFBC26BBAA7EB0C0165
                                                                                                                                                                                                                                      SHA-512:64A8A0495B65A312B7F5228094BD74A3B647F2895C3BE4DF28B65FD1BE214DB85A097AD40FC73B95E622DA56A4EF301EB7BE91B17184FF8DDB1FE8AB1145C763
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ...............................U....@.................................@3..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15912
                                                                                                                                                                                                                                      Entropy (8bit):6.81362702616023
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:1na8WK1WLfNyb8E9VF6IYijSJIVxY4YvO/:1na0ojEpYi60SO/
                                                                                                                                                                                                                                      MD5:1B83C23AD63079909D9249AF270CE723
                                                                                                                                                                                                                                      SHA1:9B69A0EE1F1CB7D51B949F4FC4564309C2B69F6E
                                                                                                                                                                                                                                      SHA-256:DCB0FD8AC602600500A66FF63C3EED2004AF2815AFEF44C17ED7FD56C7A64865
                                                                                                                                                                                                                                      SHA-512:ED020CE93C9F8AFF9B482ABBC39D19FE33E9F1527729262CBA65C8BB7EBAB1FF3936D2970DACD3ECFAA3D70DFBBF01F4CFCF372D215FEF564CB058AC4C0EC9F4
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............j*... ...@....... ...............................h....@..................................*..O....@..................((...`.......(............................................... ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................L*......H.......P ......................`(......................................BSJB............v4.0.30319......l...@...#~......0...#Strings............#US.........#GUID....... ...#Blob......................3................................................w.................!...........<.....Y.............................................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15912
                                                                                                                                                                                                                                      Entropy (8bit):6.763739326554534
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:/BSWITWWSNyb8E9VF6IYijSJIVx3mR6pE:/6LyEpYi60WR9
                                                                                                                                                                                                                                      MD5:8701AC62E4798E316D261B8B610ABCED
                                                                                                                                                                                                                                      SHA1:AEFC7E582FD623838E37117D3E1E4AF7A774F205
                                                                                                                                                                                                                                      SHA-256:C6EE477A087AF68BCA366F0F1EB844AF1C1453E710DD5B63BBFFE0365DF59100
                                                                                                                                                                                                                                      SHA-512:EAD5EEC7465E84D8335713AC824F1D99BC0DF721EBA845E0625933A8915CD24AED788FE3C4D17A03BBAAEAC790E5AF4D4B3D69E6202A791ADE2D87B5FD171632
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............*... ...@....... ..............................E.....@..................................)..O....@.. ...............((...`.......(............................................... ............... ..H............text...$.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................|.....|...S.i.........g.................f...........5.....~...........P.....9...................c.....c.....c...).c...1.c...9.c...A.c...I.c...Q.c...Y.c...a.c...i.c...q.c.......................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.8758049902132425
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:R88cIIWNoWJiNyb8E9VF6IYijSJIVxJQqeNHPw:R9cU7iEpYi60VeNHo
                                                                                                                                                                                                                                      MD5:673FC0EDF04D3C42EC568DA9B17C41FE
                                                                                                                                                                                                                                      SHA1:E5E4BC30C22AD35A68A30EEBA3E99EA4BCF5CB3C
                                                                                                                                                                                                                                      SHA-256:4AA394D3C7347439434D4839E8CEB3BEB2731D05DEF428FACDF3911BD701556F
                                                                                                                                                                                                                                      SHA-512:EFA56562181FC801B21D4B33B0079020B6BA6D45194C9D5932F9856122CA6F8490D6D5CE48046BF3E48162125FF1998527B123189A11B2190A3FCEA00BD5398E
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............V)... ...@....... ..............................M.....@..................................)..O....@..................((...`.......'............................................... ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................8)......H.......P ......................L'......................................BSJB............v4.0.30319......l.......#~.. .......#Strings............#US.........#GUID...........#Blob......................3..................................................*.....*...c.....J.....w.................v.....,.....E.................`.....I...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):22568
                                                                                                                                                                                                                                      Entropy (8bit):6.621496009544969
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:8kUwx9rm5go1fWKmmW4oqN5dWjaWbJNyb8E9VF6IYijSJIVxowXqgrVJ:rrmoFmWXX/NEpYi60b5
                                                                                                                                                                                                                                      MD5:C8A35AFE897C901B54B621BE5527A672
                                                                                                                                                                                                                                      SHA1:A63AC12893B791995A14818C806EE0F59570B267
                                                                                                                                                                                                                                      SHA-256:329BC85D116D0E0C4AC79596A0128BA2504C6CC9AE519D649F5D0DC8BBE12DE3
                                                                                                                                                                                                                                      SHA-512:72313DB7BE5CA2F90A38277AD5339AB3E9577763FE0721D90FA3D186A45E895F4C3B131A7244401E1E80F4A80C136F7EF30AB7D0BA224743BF874CD67AC3EA06
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..&...........E... ...`....... ..............................E.....@.................................PE..O....`..x............0..((...........D............................................... ............... ..H............text....%... ...&.................. ..`.rsrc...x....`.......(..............@..@.reloc..............................@..B.................E......H........$...............A.......C......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r/..p.(....*......(....*2(.....(....*^~....-.(.........~....*.0..........~..........(.........(....-Y..(!....{/......5..,

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):18472
                                                                                                                                                                                                                                      Entropy (8bit):6.672732671770867
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:E09bOAghbsDCyVnVc3p/i2fBVlAO/BRU+psbC984vmJHrE1dtx66aI2sU52RWVsc:lOAghbsDCyVnVc3p/i2fBVlAO/BRU+pu
                                                                                                                                                                                                                                      MD5:312173D3BC4ED8D4C7F8767D11B1C6E6
                                                                                                                                                                                                                                      SHA1:F145617D35C86FD11D4AC4D0AFAD5517A4989451
                                                                                                                                                                                                                                      SHA-256:2919C102D0AB36CD0704AFD5EF642432EF297BC9EBB964FDCC171BF5B0CB7603
                                                                                                                                                                                                                                      SHA-512:727302C6AF63D4FFC3810FF51863B244666DA14517474F175FD39E6CCE4907D13A7A88A95032753DA36508FFD88E25C11236BC22153107D39B2EE6EEA4DC050C
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............r5... ...@....... ..............................`]....@................................. 5..O....@..P............ ..((...`.......3............................................... ............... ..H............text...x.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................T5......H.......P ......................h3......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................r.....................e...........4.................3.....L...................................R...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.826444460589489
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:cdYx4AW6RW5wPSNyby2sE9jBF6IYiYF85S35IVnxGUHFt7kRFElqD:r7W6RWmaNyb8E9VF6IYijSJIVxZ7Vu
                                                                                                                                                                                                                                      MD5:7093C8CED5FD3EA657EC1F4FE62999B6
                                                                                                                                                                                                                                      SHA1:8D631D42CD538B4E78E103E968F0E1EAE9A44E70
                                                                                                                                                                                                                                      SHA-256:A58B4E32A90AFE5E787F28541DACEC904EDFCC475585858540B19C4188A3B485
                                                                                                                                                                                                                                      SHA-512:4885195CC867B32C4EA4169FC96554D72FF86D73F9CC95FC2F6AA140709961A2737709FFB840ECA75FC0B3062A2BF4AF3B713239C70F28B6B42CFB963B0D7BFE
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ...............................p....@.................................T(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......4...#Strings....(.......#US.,.......#GUID...<.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.9210346623513805
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:fI5HeWFwTBsWWcNyb8E9VF6IYijSJIVxuKoen7dr:fI5HFwTBI8EpYi60l1r
                                                                                                                                                                                                                                      MD5:599A888ADAA4F03F1137136175A19415
                                                                                                                                                                                                                                      SHA1:1DABEFB8BAA30A1DF687DD1494B6D4223D782B55
                                                                                                                                                                                                                                      SHA-256:42870B417A83F39319F33400D46998FA7D660D6D41E2D507474AD08815FE371E
                                                                                                                                                                                                                                      SHA-512:85F5FF6ADA69B6E4D5CE9A9B5E423E92F028D214DC486D69576224906B6AED183A50586533FB6325079DA8BC6F8DBE82792FB2EE8DC1093E23CB6998165237CC
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................(.....@.................................|)..O....@..................((...`......D(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ..t....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....@.......#US.D.......#GUID...T... ...#Blob......................3............................................................U.x...........................~.....4.....M.................h.....$...................r.....r.....r...).r...1.r...9.r...A.r...I.r...Q.r...Y.r...a.r...i.r...q.r.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.890331489145955
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:PAJpVWbfkBnWRXNyb8E9VF6IYijSJIVxnly:PAJpWfkBAbEpYi60A
                                                                                                                                                                                                                                      MD5:5212F5DA16B2E0BFB6F8A2296E33054A
                                                                                                                                                                                                                                      SHA1:B0CF851E00F1AB11753C1FF0757DEE1396465C0C
                                                                                                                                                                                                                                      SHA-256:8FC45810F324091F09DC4C409F3397FD592071837190083306E62CF4491AA79C
                                                                                                                                                                                                                                      SHA-512:2980DF58B47366E637372EF57D4636B9B493FB5974961371853682429518274EEE710C059253925F307521D0BD55BED001C4CDAABB3F5DA2067E2A9F5E56B741
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............>)... ...@....... ...............................e....@..................................(..O....@..`...............((...`.......'............................................... ............... ..H............text...D.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................ )......H.......P ......................4'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...........@...\.@...0.-...`.....D.................C.................[.....x.....-.........................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.#...C.>...K.^...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):21032
                                                                                                                                                                                                                                      Entropy (8bit):6.541043818179056
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:C8R71h7yzt94dHWFgQBVWeHWFyTBVW2dNyb8E9VF6IYijSJIVxRNUr:/1dyAqgQBfqyTBZZEpYi60S
                                                                                                                                                                                                                                      MD5:916F1422863E6E79BE296898E09AE41C
                                                                                                                                                                                                                                      SHA1:0AF138ADB95956E52E636544F37968415B29AEA5
                                                                                                                                                                                                                                      SHA-256:DBA7D8644C6D46E0EDCA62829C09767E20AC8A5E52AD178BB22ED952976A163C
                                                                                                                                                                                                                                      SHA-512:955A43AF45D4262C938AC169EBFD457291DBF650B730D447B8E6DD5C2D88AD60D9891610932E7076103FFB068326C95BC04F475FA3EEB4C063FF500DF044C594
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............8... ...@....... ..............................G(....@..................................8..O....@..8............*..((...`.......7............................................... ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`.......(..............@..B.................8......H.......|!..l............1..p...X7......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*..BSJB............v4.0.30319......l.......#~..h.......#Strings....\...4...#US.........#GUID...........#Blob...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):18984
                                                                                                                                                                                                                                      Entropy (8bit):6.683466650805465
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:dpsBljcZQIVI8CNwbcyMWs4oBOW9MWG4tBOWb8Nyb8E9VF6IYijSJIVxZ8obo:bsPMQMI8COYyi4oBNw4tBrcEpYi60g
                                                                                                                                                                                                                                      MD5:2C6D15F1DAC2EBF14D0FB2A2C7A4DDCB
                                                                                                                                                                                                                                      SHA1:A18BB8F315D9321F8016D8E15BC04A6725465B2F
                                                                                                                                                                                                                                      SHA-256:B8FFA01A630F1E0A342EC51036496F1585148BFDCC8FE0BB43E8B46A275A2607
                                                                                                                                                                                                                                      SHA-512:98E2E2CC297812A8FC67B35F5F44C60125920F51C0370C89D17CC68FC7518B43D01EC4175BCAA0236056E2BA6D910239D70E902B3E55ED34DAC4840A0879BDE7
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............3... ...@....... ....................................@..................................3..O....@..............."..((...`.......2............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H........!..0...................L2.......................................s....*..s....*..0...........o....u......,..o....*.*.0..%........s..........(....r...p.$o......o....*:.(......}....*..{....*.(....z.(....z6.{.....o....*:.{......o....*.(....z:.{......o....*.(....z.(....z.BSJB............v4.0.30319......l.......#~.. .......#Strings....$...0...#US.T.......#GUID...d.......#Blob...........W..........3............................................................................

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):23592
                                                                                                                                                                                                                                      Entropy (8bit):6.318460763867933
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:mbhigwLAuZtM66g/Id7WVXWgvNyb8E9VF6IYijSJIVxdTtl:mbhzkKs9TEpYi601
                                                                                                                                                                                                                                      MD5:3A3C8C03E8B6487E263D7B0F071D75DC
                                                                                                                                                                                                                                      SHA1:F4AC78C21322BF8B8C2CAA36AC3C8483EACD23FC
                                                                                                                                                                                                                                      SHA-256:B3C0425DB497A8963138CC1503336BE3BCD9EB617EE7CC22ECF60E2358A1A237
                                                                                                                                                                                                                                      SHA-512:79A2A9AA6AC194B4CB5F4EA04F1F0C9169AF14151BCE54C8460A5A46366ED7F129E7383AAA41586EFEF6AFE36249A34A174D75B3A2678A2330DC93480231EC31
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..*.........."H... ...`....... ...............................J....@..................................G..O....`...............4..((...........F............................................... ............... ..H............text...((... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......P ...%...................F......................................BSJB............v4.0.30319......l.......#~..........#Strings.....#......#US..#......#GUID....#......#Blob......................3................................................_.........................8.....8...*.8.....8.....8.....8.....8.....8.........*.8.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.864288429882081
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:sUcX6W9aWTmNyb8E9VF6IYijSJIVx7y535XF:sUchXuEpYi60s
                                                                                                                                                                                                                                      MD5:55D4283CB52E89F9815618E1FBBD05CC
                                                                                                                                                                                                                                      SHA1:AF8C11AD75F0708F531EB8246E461BDFC0DEEBBC
                                                                                                                                                                                                                                      SHA-256:B789D554F02DB5E29069EFB506B3E3D951A5E33CA630B85F12EC676593EDBBF4
                                                                                                                                                                                                                                      SHA-512:C7FCCEE4550AEF7DEECBBAE03454EF8EB1B31CAE8EC33985E1BD71DCD25465F4A73D9920C728088C0EE0147A69D92E5A3073A3C52849A005F34E96094CDCB667
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............B)... ...@....... ...............................7....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....(.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):41000
                                                                                                                                                                                                                                      Entropy (8bit):5.950245101846923
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:JoBj7kS+8mjvHTeaWKs0Sd4eeUAEpYi60k:UPmb9WKs0PeeUJ76x
                                                                                                                                                                                                                                      MD5:7190AEEF4D2152208FE23AA15A83B47F
                                                                                                                                                                                                                                      SHA1:D833E51CE40AD5F7A3DF04460B3C5EBB8E7903F0
                                                                                                                                                                                                                                      SHA-256:BCC8367E48F9530990714BF647C8F79556F85EADAC98BDF8C29CC2FECD47C354
                                                                                                                                                                                                                                      SHA-512:DECE7D9566EC2F46D00A59D14A7717D6BF6A80E51EB4EF38D059AC7A3DC0D0CC6D731EAA5F770199E76C22586E6F05D7A9E8F540234CEE73C318AEF62AA73090
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..h.............. ........... ..............................S2....@.................................u...O.......8............x..((........................................................... ............... ..H............text....f... ...h.................. ..`.rsrc...8............j..............@..@.reloc...............v..............@..B........................H.......P'..\8..........._...%..,.......................................j~....%-.&(F...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rI..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r9..p.(....*2rm..p.(....*2r...p.(....*2r...p.(....*2r=..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.894751959894498
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:aTI2pWPzWmWeNyb8E9VF6IYijSJIVxWxypPVl:aE3bnEpYi60ppdl
                                                                                                                                                                                                                                      MD5:1E749386BCBB0C2CDE9943DA1C26B888
                                                                                                                                                                                                                                      SHA1:78DA8BAFFBF345B40169BE1DCCDAA27D475F7FF6
                                                                                                                                                                                                                                      SHA-256:6D4513B6C865C7AC7A190C24D0CFBC433C94AC85D4F562A1D0A6590F970C8B57
                                                                                                                                                                                                                                      SHA-512:CEF289B0C237E35E1DE3D737CEA9FBC4C64F4057C04B748B3D084124C29924366F7893564D20B1389CD37F770C219698D26534D833F40371497575B737FC67A0
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............^)... ...@....... ...................................@..................................)..O....@..`...............((...`.......'............................................... ............... ..H............text...d.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................@)......H.......P ......................T'......................................BSJB............v4.0.30319......l.......#~..,.......#Strings............#US.........#GUID...........#Blob......................3......................................z...........A...\.A...0.....a.....D.................C.................[.....x.....-.........................(.....(.....(...).(...1.(...9.(...A.(...I.(...Q.(...Y.(...a.(...i.(...q.(.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.911553918502177
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:Icezoy4W04WGINyb8E9VF6IYijSJIVxmij:IBzoy+kgEpYi60v
                                                                                                                                                                                                                                      MD5:38A6DB7CB798CB523B65AE8483180BCD
                                                                                                                                                                                                                                      SHA1:3CB1A3BD6A5DA5FC4FC222B08866AF114FF81092
                                                                                                                                                                                                                                      SHA-256:11EF185307480DAC3754B67727BBEAE74C6709A437D7D0E8BBC642A3C2A43F7F
                                                                                                                                                                                                                                      SHA-512:66081322B339883F5DBDE57E01552D1868DE7139B70FE7E8AE1061D31420B28F58507EC918333884347C2328862CA9AF431BB71A2C40FCAB1F3456291C0527BE
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............~)... ...@....... ....................................@.................................,)..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`)......H.......P ..$...................t'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID....... ...#Blob......................3..................................................f...o.f...C.S.........W.................V...........%.....n...........@.....)...................M.....M.....M...).M...1.M...9.M...A.M...I.M...Q.M...Y.M...a.M...i.M...q.M.......................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15912
                                                                                                                                                                                                                                      Entropy (8bit):6.795177677038789
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:yH/JWKpWDQNyb8E9VF6IYijSJIVxXuKsa:yH/j8oEpYi60v
                                                                                                                                                                                                                                      MD5:0F6C0A12BFB3ED8DBF456438FD858420
                                                                                                                                                                                                                                      SHA1:0E5A9F3FBF695A223538E4D821AC1F308FAC4483
                                                                                                                                                                                                                                      SHA-256:413F2327A3AE6170709DBC05BE4B677C41AC516446D2883D414B8464268F8D15
                                                                                                                                                                                                                                      SHA-512:97EF267FBEFE42BBA8AD718B4295291A21BC35956E222F6DB3482F4222B44D7EAEA6CCCA6C3F713734F2A9A9410992F16956D3A6AE4B2B8AE351EDF5F6B9E505
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0............."*... ...@....... ....................................@..................................)..O....@..................((...`.......(............................................... ............... ..H............text...(.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID....... ...#Blob......................3............................................................o.s...........D.....D.....D.....D...8.D...Q.D.....D.....D...l.....U.D.................m.....m.....m...).m...1.m...9.m...A.m...I.m...Q.m...Y.m...a.m...i.m...q.m.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16936
                                                                                                                                                                                                                                      Entropy (8bit):6.745657963583126
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:+TjbocNsWMhWqiNyb8E9VF6IYijSJIVxtLC8y:uboYyFiEpYi60ts
                                                                                                                                                                                                                                      MD5:86A808028274E9D6DF90714621E06353
                                                                                                                                                                                                                                      SHA1:3A47D7A175BE7B44851C5AF8967EC330D2E7825A
                                                                                                                                                                                                                                      SHA-256:8A25793A632ECF02D29D7FFAC07DBEC187B4A0FE9B46A4BA44E6BE5CE3D08E89
                                                                                                                                                                                                                                      SHA-512:20F8F4A9D92528EC742058CAAC5E0B7CCFB36CA5910E5315D9EF0B675626A17A5B328A15CE1269524ECB794C9E4DC4B8AE1121C774FA5628B2E21F944AA71360
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.................. ...@....... ..............................S.....@..................................-..O....@..................((...`.......,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................,......................................BSJB............v4.0.30319......l.......#~......|...#Strings....x.......#US.|.......#GUID.......(...#Blob......................3................................'.....).........u.................=......."...:."...W.".....".....".....".....".....".....[.....".................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;./...C.J...K.j...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.845358763894717
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:vSKiWIhWG3Nyb8E9VF6IYijSJIVxLp8Bz:vSK8l7EpYi6092
                                                                                                                                                                                                                                      MD5:E971856435385A977E2E0841EB2C15F1
                                                                                                                                                                                                                                      SHA1:2F03E049E9F205BD9A7A710DAB3E143A77CDE03D
                                                                                                                                                                                                                                      SHA-256:D50DE679C339893F84ED644A6A632816D8B1C38C961BC4835C81604318CE7B36
                                                                                                                                                                                                                                      SHA-512:2063A3219789C12308FA04D79380D6D801242292E22DBAA6808727147EDB27A62C4728F0867E91374A5C5FAD8AA98168A66394E23D59EE3D7AE65CD7FB1BB8CA
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................b.....@.................................t(..O....@.. ...............((...`......<'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..l....................&......................................BSJB............v4.0.30319......l.......#~......@...#Strings....D.......#US.H.......#GUID...X.......#Blob......................3......................................................\.....0.....'.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16424
                                                                                                                                                                                                                                      Entropy (8bit):6.786849563106118
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:D0KbZWApWmWTpWSDNyb8E9VF6IYijSJIVxkp8hEXO:YKRyhfEpYi603+XO
                                                                                                                                                                                                                                      MD5:FE9772147C5C4EFB20A6B0F16B53C1A7
                                                                                                                                                                                                                                      SHA1:4D50591115EFE5667CC5CCF0E69ADC730006E9F8
                                                                                                                                                                                                                                      SHA-256:28965739D1C84F05DDFB4C4599296C8F06E33368948F9BA285990986EACFFC2F
                                                                                                                                                                                                                                      SHA-512:30D0D3470993FBF5CF56401703B2FA3DBB981079775E00A1F25CC9BB4228108D862395C05E8C01CFD885C8D7AAD463BFA3948524753F9DD5C6D6CFFCD369BB47
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............)... ...@....... ...................................@.................................>)..O....@..................((...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................r)......H.......p .......................(........................................(....*..(....*..(....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings....`.......#US.h.......#GUID...x...(...#Blob...........G..........3.............................................."...........C...........u...............m.b...........J.....J.....J.....J...6.J...O.J.....J.....J...j.C...S.J.............................P ............X ............` ......4.....h ....................

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.874592163148146
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:7b1nWCXWr7Nyb8E9VF6IYijSJIVxnY3EeGFI:n7yXEpYi60XG
                                                                                                                                                                                                                                      MD5:F872FC903187D5D0275C030AC0DFA5DB
                                                                                                                                                                                                                                      SHA1:BB660C49EE9EB96B4EA37167C39A5F299AE49556
                                                                                                                                                                                                                                      SHA-256:F4525AF58D2ED7A084286EB71947F6A29F712250DC2510895311E63BF0B62ED9
                                                                                                                                                                                                                                      SHA-512:D50C68F3EAA788CCCB12E7833F28A5947CB42B6FBE51FE8A39FEC7EEAF6A2FCED526D38510E2F2C81044F378A26D38869EA82C196AA23F90744E629FD6E74A8C
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................1.....@..................................(..O....@..T...............((...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~.. ...t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....6.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15912
                                                                                                                                                                                                                                      Entropy (8bit):6.776067478918499
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:rLyW7TWyDNyb8E9VF6IYijSJIVxRr97pB:3fPfEpYi60v
                                                                                                                                                                                                                                      MD5:2703B21B5529FA915CFC0AB5F733F505
                                                                                                                                                                                                                                      SHA1:0CE6AA2D3345DECAD00A96A1C217C7D8D6115573
                                                                                                                                                                                                                                      SHA-256:66B895DA76E875772D6057DBE0763CB5A5E68D3D806E846C549A0D663914A348
                                                                                                                                                                                                                                      SHA-512:4DBB5556462BDA198CA119777DC89F5A31EAFECDB0B1F7BAD4AF29A1F49E8AD5CFDD08B52C8FBF7DA6352DB062593B1842734194C237D4F0EA93DA986939F2F9
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............2*... ...@....... ...............................`....@..................................)..O....@..................((...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...0...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.7.....7.....7...C.7.....7.....7...[.7...x.7...-.0.....7.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.905928977470625
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:K6Rb32WVzWwtNyb8E9VF6IYijSJIVx0kfw:lRb3dtJEpYi60E
                                                                                                                                                                                                                                      MD5:DDF80C084EF5E94367B10D304CEBF007
                                                                                                                                                                                                                                      SHA1:ECDBCDFE7EFB3FFC837DE9AEA7F364488A73E6FB
                                                                                                                                                                                                                                      SHA-256:0BBB884A72284397444636FC9524BD36A18EB9F08FF0513DC58F1410F4B5E2F3
                                                                                                                                                                                                                                      SHA-512:A590DEEB9B42DE2CBA518A7522FE48620AA4CE9EE4031A5D85F8D7654C6E9B0862073DC65866364B1A49543D6FF9A3D1D2E041D3A7E9E299E61D32E48C1100D5
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................i....@.................................t)..O....@..P...............((...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................K...d.K...8.8...k.....L.................K.................c...........5.........................2.....2.....2...).2...1.2...9.2...A.2...I.2...Q.2...Y.2...a.2...i.2...q.2.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):31784
                                                                                                                                                                                                                                      Entropy (8bit):6.537588468799282
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:6u5I+sqOylryry8qqIfUc7a5eMEpYi60+a:6YIVBpry8qqIfUcm5eF76Za
                                                                                                                                                                                                                                      MD5:240E33A65BF76FE22C53C51334794F49
                                                                                                                                                                                                                                      SHA1:3DD0F8463267A2817692A2609F938AB4BC8A9323
                                                                                                                                                                                                                                      SHA-256:F1A5E6E1BCD3BA5DF7769FD57CAFB4148F277DC4D01D7E92277932B3207F7DEC
                                                                                                                                                                                                                                      SHA-512:877E2D9132D72E56C15B5653553AC8CB4DEF7E99C93C42F91422B6032CC3BDADFFBA138EB47055C8F066BAABE75C7C9FDD3B4BE478817D3E9442B42E3E3D7D53
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..F...........d... ........... ..............................,.....@..................................c..O.......x............T..((...........c............................................... ............... ..H............text....D... ...F.................. ..`.rsrc...x............H..............@..@.reloc...............R..............@..B.................c......H........&...7...........^.......b......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rK..p.(....*2ry..p.(....*2r...p.(....*2r...p.(....*2rc..p.(....*......(....*..0..;........|....(......./......(....o....s

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.876610036932806
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:Gvn4HREpWiQWtIANyb8E9VF6IYijSJIVxeWDNLPt:ZS/I4EpYi60/t
                                                                                                                                                                                                                                      MD5:800E60AF916F68B7FE83A7BA7977D2AB
                                                                                                                                                                                                                                      SHA1:12358E012D8593AEC3C7B56829AD6FFC3D6AC6C4
                                                                                                                                                                                                                                      SHA-256:F19D8C45F0B46C3ACE374CE95A4DE007BBAB4EFD758E0B919189284FCF441A7A
                                                                                                                                                                                                                                      SHA-512:7C5160DCD50830381D3A3AF000985A397592D2E29055DCD1796E5019B842FEB37681C3BE733FC9A44F2F57C171C4FAA6151CEB6261C3A760504D41F67709545B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................^6....@..................................(..O....@..P...............((...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......l...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................n.....B.....".....V.................U...........$.....m...........?.....(...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16424
                                                                                                                                                                                                                                      Entropy (8bit):6.770984279504455
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:u8MjKb47T3UCcqFMkJ59WdtWcnNyb8E9VF6IYijSJIVxo7E:rMjKb4vcGdO7LEpYi60F
                                                                                                                                                                                                                                      MD5:CF3AD5E39C44790E7153D98DBDD75957
                                                                                                                                                                                                                                      SHA1:4F2051AE5E7CBB044D3E644A12A158E3DF25ACC8
                                                                                                                                                                                                                                      SHA-256:E273B1437CA235BAE1882C11AE30E4455D6C1126EC3ED8A5C725C72F2EC0F019
                                                                                                                                                                                                                                      SHA-512:5DC888194516F8CF2898115F82917D72BF959E0E2363E8D05B9673B47AD2E508D3F5AF9B07308AD799A6652C8B8A5ED9C643A93851F554829638FF3B221B63AC
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ....................................@.................................`,..O....@..................((...`......(+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ..X....................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....4.......#US.8.......#GUID...H.......#Blob......................3................................!.....O.......................................].....z.............................7.......j...........n...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.854623689785651
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:RzyNXd4+BW6FWqkNyb8E9VF6IYijSJIVxDYhgsz9u:sztEEpYi60cX9u
                                                                                                                                                                                                                                      MD5:B7EF0237654140B400D9575B3348A0A3
                                                                                                                                                                                                                                      SHA1:7FB92D1A2A22DAE79495A706D0731BE11F8DE152
                                                                                                                                                                                                                                      SHA-256:21A13851A9AB68F913E6FF595A7A9EEB28C5BB2897E0FD4F4F7D754AA3DD4567
                                                                                                                                                                                                                                      SHA-512:FC8D5BB1488B006907994A9B5707355600FA8EE678F1BC2FDAAC486E880DA1E49556EEFF0E9A3A92059F88850CB74F72DDCB126380D28B6026F932A0D0F256B4
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................I.....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...p...#Strings............#US.........#GUID...........#Blob......................3..................................................'.....'...T.....G.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.858929061681379
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:8vs2Q3HKJNrWWRWfUANyb8E9VF6IYijSJIVxm860hHS1cNF:8uM0xEpYi60P/HS12F
                                                                                                                                                                                                                                      MD5:7A8109EB3BDB2109EB3943D308653760
                                                                                                                                                                                                                                      SHA1:E166A011944F07AF9E235CADFE60FC63FDA2C90B
                                                                                                                                                                                                                                      SHA-256:7FC7700777C084406A0408650880D0DC341395CEAC70A1050C97655EAB47A84F
                                                                                                                                                                                                                                      SHA-512:EFB62188F74A365BEF8E9E6DC593CC7A2E3B15C0F60F3F0D921D327D3C58AFD48164B3754DBAD5DC4277FEAA275705A65929818214289344245D9CDBA10AF1DF
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..4...............((...`......h'............................................... ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....p.......#US.t.......#GUID...........#Blob......................3................................................../...q./...E.....O.....Y.................X...........'.....p...........B.....+...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.826916157243993
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:dFz0Q6gcqRhcsMWdMW+kNyb8E9VF6IYijSJIVx9JtGHa:dFz1c60EEpYi60LCa
                                                                                                                                                                                                                                      MD5:5CB31F305FA31BBBDE93598B09341AD2
                                                                                                                                                                                                                                      SHA1:3AADCDA2D6A06E01B1D95EA72F54E3DB162F7F50
                                                                                                                                                                                                                                      SHA-256:77C01CBE120119813044E7E4D1E07960099387A3887B3CF7B03438D7A79C6282
                                                                                                                                                                                                                                      SHA-512:8FA8099E5AB4256317E75A70BA658CA3F401A26EBC062588A805402EA0DC0CB9F1BB55839B0F00A17A04E70EE1A206E75337EDD0B5C11643D0351655DED11337
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................X.....@.................................L(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..D....................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings.... .......#US.$.......#GUID...4.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16424
                                                                                                                                                                                                                                      Entropy (8bit):6.7212625286101515
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:a6xWA3W4aW/NWQvNyb8E9VF6IYijSJIVxIJgxDJ:aaB/TEpYi60PDJ
                                                                                                                                                                                                                                      MD5:F3BCDE298AE95A6686C51C1533D13DC6
                                                                                                                                                                                                                                      SHA1:6DF2A0B078E68523BB584FC6F5C4C17ACD6DC14D
                                                                                                                                                                                                                                      SHA-256:763EB552EF818E397C692FA1F076F569DECACDC7CA31689B4AE2FBE897163CD1
                                                                                                                                                                                                                                      SHA-512:69528981A1C8684045347F6C600F7CAB9A41FD568606AFD9BC20AE0F958B225C51545E472507556DB3849E4E8DB9C7EEA1568E2DDE0C6209B8721A2EAAE89305
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ....................................@..................................+..O....@..................((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P .......................*......................................BSJB............v4.0.30319......l... ...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................-.........O.k.....k.....X.....................1...........o.........................B...........9...........J.....J.....J...).J...1.J...9.J...A.J...I.J...Q.J...Y.J...a.J...i.J...q.J.......................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):73256
                                                                                                                                                                                                                                      Entropy (8bit):5.954346769832472
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:B784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAsk76nwn:B7N1r9KGI04CCAskwwn
                                                                                                                                                                                                                                      MD5:084E3B8ADA8BF97176D8A84E0B2FC539
                                                                                                                                                                                                                                      SHA1:76D7CF8DC99FF5C83D01A540BED2E3516968B113
                                                                                                                                                                                                                                      SHA-256:8F5B110565A224BA914908A2AE8823350253474C9ADF1CC0D06A92671A9AE002
                                                                                                                                                                                                                                      SHA-512:882577C020B22B7FC841862D92A601C645F0249AD597498E5A99557B910244D43CAC74966A396A3BE2469FC503C20F0810C846A52386F8286A38AAF3D924D716
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`......B.....@.....................................O.... ..P...............((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15912
                                                                                                                                                                                                                                      Entropy (8bit):6.853650060576054
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:Kr97WquW6/Nyb8E9VF6IYijSJIVxkp9ij:KRJKDEpYi60eQ
                                                                                                                                                                                                                                      MD5:D91F97304DD898E07554CE01739E9C78
                                                                                                                                                                                                                                      SHA1:45D9D0F0522A1097563AB220C10BD228E313B80E
                                                                                                                                                                                                                                      SHA-256:9F5AEA9AF29F645C417EC03D8EDE29040461242C77C70E17F89C3DBF2F2207DD
                                                                                                                                                                                                                                      SHA-512:67BF4FA43ABB88E3B21B7E39D6527250D0020F7A08D0121313A1402F7C7BC6EB25F9FFE434B7B546761B7DD333937A0C7D26C8343D07B180F8C6035A6EC2C83D
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............+... ...@....... ....................................@.................................\+..O....@..................((...`......$*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P ..T....................)......................................BSJB............v4.0.30319......l.......#~..T.......#Strings....0.......#US.4.......#GUID...D.......#Blob......................3......................................z...........j.....j.....W...............B.....z.............................................................Q.....Q.....Q...).Q...1.Q...9.Q...A.Q...I.Q...Q.Q...Y.Q...a.Q...i.Q...q.Q.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15912
                                                                                                                                                                                                                                      Entropy (8bit):6.792826561587803
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:F16eWLDWGoNyb8E9VF6IYijSJIVx4nWtt3:H6LbAEpYi60FtR
                                                                                                                                                                                                                                      MD5:0C0D34408ECF8E9B3D72C004CF780C8B
                                                                                                                                                                                                                                      SHA1:01FFD4CA2B40E5722CC33D5E224DD129C6D7F6E8
                                                                                                                                                                                                                                      SHA-256:25289211A3653876FB4B69849866BBE0E9F98FA2772929BA8042832EBED94082
                                                                                                                                                                                                                                      SHA-512:FC8E4AF721E32A4851529BBDD73E4EB3CF21C160F448FFA4A23828726C288B2ABEEBD9CFDA4390A9911A4EAE1D46C6A2FC6B1314816928C5A8163D406C1779C8
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............*... ...@....... ...............................s....@.................................|*..O....@..................((...`......D)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..t....................(......................................BSJB............v4.0.30319......l.......#~......8...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................z.....z...u.g.................................>.....W.................r.....[...................a.....a.....a...).a...1.a...9.a...A.a...I.a...Q.a...Y.a...a.a...i.a...q.a.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16936
                                                                                                                                                                                                                                      Entropy (8bit):6.785088378774488
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:x8G4YC2W+wW8WpwWU4Nyb8E9VF6IYijSJIVxP7/:+GZ5OwEpYi60j
                                                                                                                                                                                                                                      MD5:B11A1EDFB7BF4F8641D9BDBDEFE01361
                                                                                                                                                                                                                                      SHA1:A51FE13BF202E6E7CD3464B0F09258ED6A7FAA37
                                                                                                                                                                                                                                      SHA-256:B82CF7C934C3F91733944171AE4E3E4DCAE53CE6A46EACE871E7BA010CCE9171
                                                                                                                                                                                                                                      SHA-512:287A62789ACD80A7691F337EE9E8080A000E75B46CBA9E1466E047F8AF4F4B8578502E04C21423C1097B82A3381626797E07DBC80FF7C4E294AF0177567008C6
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............+... ...@....... ....................................@.................................z+..O....@..x...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B.................+......H.......t ......................P*........................................s....*:.(......}....*2.{....(....*BSJB............v4.0.30319......l.......#~..0.......#Strings............#US.........#GUID...........#Blob...........WW.........3..............................................................L.........4.H...}.H...u.v...........;...........;...=.;.................../.%...........P.....m.....................................v...S.......v...d.v...........v...m...............

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15400
                                                                                                                                                                                                                                      Entropy (8bit):6.9002603008267265
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:J6ziqTEkGWvRWH1Nyb8E9VF6IYijSJIVxKPTk:JYT1cREpYi600w
                                                                                                                                                                                                                                      MD5:9E80A264FEFC33F67734AEE3676A91CA
                                                                                                                                                                                                                                      SHA1:3D9EE94141B96C33640F529CFFDFECCFA09111F6
                                                                                                                                                                                                                                      SHA-256:DBE2FF30D10C66A9BF4591A13EC9C07B02D7EC97743C875144505136A4D1DBBA
                                                                                                                                                                                                                                      SHA-512:B2D6AD370724EC0B7E7B6B3CF8BEC7426DD80A3115F73052ABFF13A4159E0BDCC2F7D62DC0164B8300CB695408DAC56C428B1B1C9B825D710E9249CBA0A6FFB6
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@..................................)..O....@..................((...`......d(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3................................................'...........~...................................G.....`.................{.....d...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15912
                                                                                                                                                                                                                                      Entropy (8bit):6.810145599200941
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:0Uv7c7iWNCWq0Nyb8E9VF6IYijSJIVxIL59:0M7c1m0EpYi600X
                                                                                                                                                                                                                                      MD5:18791F51B30C35E1854C9A8D29646DE0
                                                                                                                                                                                                                                      SHA1:FFFA650CF69699835CF76CC56B943D038488FD76
                                                                                                                                                                                                                                      SHA-256:05C243E6C5261F112792260F708F2A473E5A2E79B3E022CE525F097751B850F4
                                                                                                                                                                                                                                      SHA-512:557FEE73D55EA194D12E845AA92F1FAFA86FAEABBD2D38321664350733F4EAADAC5A5827D08247FE6EAF07B2FE58760097B8B40988054C5946A88231FCD578AC
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............*... ...@....... ..............................i.....@..................................*..O....@..................((...`......`)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~......l...#Strings....l.......#US.p.......#GUID...........#Blob......................3................................................4...........~.............H.....H.....H.....H...T.H...m.H.....H.....H.........d.H.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15912
                                                                                                                                                                                                                                      Entropy (8bit):6.853949257369427
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:1+vxmNWnRW5TPMNyby2sE9jBF6IYiYF85S35IVnxGUHF8C8n8Q3M:ISWnRWJ0Nyb8E9VF6IYijSJIVxIAQ3M
                                                                                                                                                                                                                                      MD5:3B6EAFCA26AAC70CAC6C873EF5623AF6
                                                                                                                                                                                                                                      SHA1:C3F0ACDDF6193F59B6FD4A467B5EDD6A0F7E9771
                                                                                                                                                                                                                                      SHA-256:2F7DC5A3678E01C11E5B06153CEF63C7638BF7DC8A9EA6E2B9EADCBAF947709F
                                                                                                                                                                                                                                      SHA-512:50CDB22F27529279486A1C7B84E6F4C3770A89A6455C86E9B09407D386DE8E280BF605897766A7D67E5CACA6C4CD7E112BBDBE3EE290370B8BC0115082EE991B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............+... ...@....... ..............................:(....@.................................L+..O....@..$...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................+......H.......P ..D....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings.... .......#US.$.......#GUID...4.......#Blob......................3..................................................k.....k...U.@.........i.....=.........................................&.....'...................:.....:.....:...).:...1.:...9.:...A.:...I.:...Q.:...Y.:...a.:...i.:...q.:.......................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\log.txt

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with very long lines (337), with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):5166
                                                                                                                                                                                                                                      Entropy (8bit):5.049491941828254
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:0Wgesge1DgedQ/gnSi++aPGl7p7Al4gnSi++aPGl7p7Ac:06I1ddVL/N7c9L/N79
                                                                                                                                                                                                                                      MD5:D988E7D3CF50ECE6F971814736676C5A
                                                                                                                                                                                                                                      SHA1:1C93E25D1046618434C4BD4776B79760101C1C84
                                                                                                                                                                                                                                      SHA-256:B0759EDACDC8965FCADFDA6E8B06C6AC9C2ABFE0C26B5E631A7071BE369B1B3D
                                                                                                                                                                                                                                      SHA-512:EF978C1A8EBC9AA0B154614BB638B1436EA4967C2A662C7E0C68CEE4EB5611C7D0F8DBB5214CF6429B43C18CB4CD5A270655CA913A9D2E0107831EEA31B716AA
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:2025-01-14 13:35:59.9595|ERROR|WuApiService|Error on retry number 1: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2025-01-14 13:37:01.2204|ERROR|WuApiService|Error on retry number 2: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2025-01-14 13:37:42.3420|ERROR|WuApiService|Error on retry number 3: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2025-01-14 13:38:35.2035|ERROR|AgentPackageOsUpdates|Error executin

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):92712
                                                                                                                                                                                                                                      Entropy (8bit):5.483787905211059
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:/2Ec05j4eAH64rh5fSt5T9nFcI94WYG76v:+lK4eA7mDmWYGA
                                                                                                                                                                                                                                      MD5:EEA74039309D9480AB49CABD8D2F5B1B
                                                                                                                                                                                                                                      SHA1:21A94EED07C9EC10B98DE07A6884D30568C5061F
                                                                                                                                                                                                                                      SHA-256:9710540DDF8CC6CD092612892115D0D539A853B856BA1BB694EAA3719A663A39
                                                                                                                                                                                                                                      SHA-512:5DA9C32494BA499F8F409C7DC6FF1661F1E6635022C90FDA64DABC9297102D693843C8E39BD38E693980342FFDBFF972A526722AF75BA130140DA3917D9788DC
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M..Z.........." ..0..8...........U... ...`....... ....................................@..................................U..O....`..,............B..((........................................................... ............... ..H............text....6... ...8.................. ..`.rsrc...,....`.......:..............@..@.reloc...............@..............@..B.................U......H.......P ...4..................,U......................................BSJB............v4.0.30319......l...|...#~.....d...#Strings....L3......#US.T3......#GUID...d3..x...#Blob......................3................................q.....2B........e$.M...,.M.....M...4.M...1.M...1.M..v..M...*.M...*.M....p...........................!.....).....1.....9.....A.....I.................................#.......+.......3.......;.J.....C.f.....K.f...................2.....................

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement.zip

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):3025099
                                                                                                                                                                                                                                      Entropy (8bit):7.999917825476981
                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                      SSDEEP:49152:L/snUpmkynQXrqb091jbpTsZOprMnuzM9HFNX/F8J5fSz+ukPo5O08iDw5ip54FG:LWU0QXOb091RJrL43WYxTM08iDfMo
                                                                                                                                                                                                                                      MD5:108BC29224053A4735170BCB644CC73C
                                                                                                                                                                                                                                      SHA1:9A4B8929E890443DC8204FCCBF4BDB6C6C853A3E
                                                                                                                                                                                                                                      SHA-256:7C7C62702B5A6CA58084C1EC776116D1A7D697D7A104F2BB705676088C8614C8
                                                                                                                                                                                                                                      SHA-512:883D76DD6B1395BB545461EC0A88CF797524F922E8787ABB27CA681ED72FE75C57732C5E17C7181509F98242871B7AFC0398F69D7B04A043EDC21B57DC88482A
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:PK..-......b.Y...?........?...AgentPackageProgramManagement/AgentPackageProgramManagement.exe....(.......}o.........}_...q.~.D.R.7Gp..G.(..'..._^Yb.8....b-.x..ck+.N.dT..8.D!...N.6=n...D.....w`..T.=_./D.|..])LnQ.c(......p..o..L_m...h.S.h.:z?2.+...z.......Y....!I~.+&V,{.<(."?.{.=.E..i..:+.j.<..p..q.f:......d(F..7.s%;...M.,R.k....K\d.o3..........vNtG..B..._G9Y....S.....m.....gh....Otm.j!M-n..t.m.&.(8..On.wvy..N-.y.....Dr......w..UY.N.r.......k.`...-....!,.&..B..]T...,.5.....m.'z....V.].i..3v..|.........\$...Z.Y$...8...#..:...kU]....g...R...g.U..R.(....A....7.f9........L..M...C.E........].KE..Q.(.vo.0..nF_....9K..,.1"....i..-........_..._.....Q.....C.]gp..u.X.?.......b...,..Io6/ ...[...>.,.m..s..._...L......j.:..u:...J...i...j..n{[#...~5....<?=Fg.n..~c..k8...w.....^p...F.9....b.....~..DK4.6.@`..z...ZY.....zh...I.>#.....nA[...t.m_./..Z...{. -$.z.&.6. .Q..%./........1.V........<..:...<_vQ.1G.z0(.N.;.B"h.....Zo.]"..e.k.b.1...k...c.O.*..?V..J.d.|..(..].1C\....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):57896
                                                                                                                                                                                                                                      Entropy (8bit):6.173653035778126
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:RJZ9Gx/x4S7IRyh+ngOBF31+ywIsybxluYL6uKjxtYcFm7B6K+EEpYi60Ttc:RJXA3ogMF+KTbxWuwhm7Bl+976b
                                                                                                                                                                                                                                      MD5:CB9890B01A396F64D702AD10F441003A
                                                                                                                                                                                                                                      SHA1:44C086CE6BB8078E252F41F5BECC1CB650FF2F33
                                                                                                                                                                                                                                      SHA-256:1A7194E86B266261501B7ED1AD3EA13FE73DFEEDDCD1BA884894A0155BDBE2EA
                                                                                                                                                                                                                                      SHA-512:6CEA4A2E31BD33CC13A9F5EA4D162B75BED863DB2569B0ED46C7389F3BCDBA3333CDDDCF2EA83C95CE3678458796D4A476F151705CF256E0F4EDBA6CD1CAC952
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bg.........."...0.................. ........@.. ....................... ......;P....`.....................................O.......................((........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......HR..Dn...........................................................~....(....-..*.(....,..*(....~....(....(.....l(....(....*...0..3.......~....(....-.(...+*~....(.....(.....(....o....(...+*..0...........(.....~.....( ...*..0...........(.....~.....( ...*..0...........(....(......(!...*2.(....(....*v~....(....-.~"...*~....(....*...0...........(#....(.....o$...(%...*.0..g.......(&....('....o$......o(....s).......+......O...r...p(*...o+...&...X......i2..o,...o-........,..o.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1251
                                                                                                                                                                                                                                      Entropy (8bit):5.000868036244702
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:JdszvPF7N8OH2//3dVhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3sB7iOgl27Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                      MD5:16D1DF732FB7C3FE51EE9657C5AC458C
                                                                                                                                                                                                                                      SHA1:32CECF6AA8A03E11A967D54C67F9404F6A73D57B
                                                                                                                                                                                                                                      SHA-256:4FC493DA952DF0968311A06FAC3A5D03FBC2351DB77D0D907A1FAFA4ADA08777
                                                                                                                                                                                                                                      SHA-512:1F33ADA48F1ECAFA9238B87A8743C0A92953D123A917E38EC9F7EA7B92A7514AF6F244E4E3F77141D9ABDC11D120641FBDE9318525E0C3F2DC16F6E1D91634C9
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>... <supportedRuntime version="v4.0" />... <supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <asse

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.ini

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):12
                                                                                                                                                                                                                                      Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:WhXTLS:WBTm
                                                                                                                                                                                                                                      MD5:B59798490D7FC941B65D9D167BF653B0
                                                                                                                                                                                                                                      SHA1:847D3B03FCC645D7DECB28202E6F81B4D74DF41E
                                                                                                                                                                                                                                      SHA-256:43908848F40428C43F5E14EE3936E05BBB34B25B1AB02649C1B18A9B865E5F5B
                                                                                                                                                                                                                                      SHA-512:E90FEA91F738C54C834A17FEEDC34DF9AEB9B998B650C0046FCD5398AE25A003B6CF1069340CBDDE8BA5C85DC525A50E1967E5508C75E031018D9AC4E371ED3B
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:version=26.7

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):112168
                                                                                                                                                                                                                                      Entropy (8bit):6.178481255293971
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:Ngs5os2RUW33uzNrscqSofyqwshFDfuX73QbQgLb/xs8bRUi+kEWWdK76tU7:N0jjnl1wuDYjQbQgLbZs8DWdKl
                                                                                                                                                                                                                                      MD5:AE411E264B869D21031D5442ACEF3618
                                                                                                                                                                                                                                      SHA1:CC6F471E281201D4399239EFB184C346321E24EF
                                                                                                                                                                                                                                      SHA-256:37272AB76D36BC3F7371FBB2EA775C1BE98F38E3C9DEFD0D221CB3026DF5418C
                                                                                                                                                                                                                                      SHA-512:F28607F0A814250C728CB4353E8D5B4251E192EC20575D29A3633DC4B726C29861B97F189B3FF83CD38F8CC9BA70F2929317BDC4602C725EC326C13F74E49C48
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y.g.........." ..0.............b.... ........... ..............................M.....`.....................................O.......8...............((.......................................................... ............... ..H............text...h.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................D.......H....... ....!...........................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p( ...r...p(!.........("...(#.....&..*........00......:.(......}....*..0..Z............($...,......(%...*~..........(&........($...-..(....s'...........,..((.........(%...*..........&E.......0..G........{....,.(......5~)...r'..po*...rm..pr...po+...ta...r...p(,..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\CredentialManagement.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):38952
                                                                                                                                                                                                                                      Entropy (8bit):6.3111399953479745
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:GINsi1A6I1MLzHS0+iFJBn5gpKNEpYi60wgfmj5:/Nsii6v/HS0+OJd5gpKm76tgm5
                                                                                                                                                                                                                                      MD5:16E79C583F7442B4B41AF27F343BB123
                                                                                                                                                                                                                                      SHA1:ACD2A37BCCBF3A077B35759BDF083A5902784172
                                                                                                                                                                                                                                      SHA-256:038D7677C72152B9D2F7C1A55DD19AD0329C627FD473E67A4F202847CF276AB7
                                                                                                                                                                                                                                      SHA-512:A12ABC36729277939968F1A93C01D4DBF15DA75E6ADCBB3B02877201131526BA60A1BDAE2CC9C4F058954F939AA006F343C6499309A2664FEA7BCA346E251C54
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..T...........!.....f............... ........... ...............................i....@....................................O....................p..((........................................................... ............... ..H............text...$d... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H........2...O...........................................................0..+.......s.........~....%.(.....s............(.....*..........#........,..%{.....`}....*.%{.....f_}....*..0..>.......................(....}=......}>......( ...}@......(....}?....*R.{....,.r...ps....z*:..(.....(....*...0............(.......(.....*...................J.{....-..&..}....*6.(.....{....*:.(......}....*6.(.....{....*..(.....(....,.r]..ps....z.o ... ....1.r]..ps!...z..}....*6.(.....{....*..(...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\LICENSE.txt

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):670
                                                                                                                                                                                                                                      Entropy (8bit):4.870186870231866
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:5lh3rwhI4IaMFj27/tUYCQpU0E+dqo6rHQknd77psLlO:l334IaJUuU0E+QHQk17psLlO
                                                                                                                                                                                                                                      MD5:B4ECFC2FF4822CE40435ADA0A02D4EC5
                                                                                                                                                                                                                                      SHA1:8AAF3F290D08011ADE263F8A3AB4FE08ECDE2B64
                                                                                                                                                                                                                                      SHA-256:A42AC97C0186E34BDC5F5A7D87D00A424754592F0EC80B522A872D630C1E870A
                                                                                                                                                                                                                                      SHA-512:EAFAC709BE29D5730CB4ECD16E1C9C281F399492C183D05CC5093D3853CDA7570E6B9385FBC80A40FF960B5A53DAE6AE1F01FC218E60234F7ADCED6DCCBD6A43
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview: Copyright (c) 2017 Chocolatey Software, Inc... Copyright (c) 2011 - 2017 RealDimensions Software, LLC.... Licensed under the Apache License, Version 2.0 (the "License");.. you may not use this file except in compliance with the License... You may obtain a copy of the License at.... http://www.apache.org/licenses/LICENSE-2.0.... Unless required by applicable law or agreed to in writing, software.. distributed under the License is distributed on an "AS IS" BASIS,.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied... See the License for the specific language governing permissions and.. limitations under the License.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):398888
                                                                                                                                                                                                                                      Entropy (8bit):6.13429501746206
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:mjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/Zmvu:m+e55LgIkTmyAAfTnMLvu
                                                                                                                                                                                                                                      MD5:0D4742755CA8DDC5513D338CDBAEB543
                                                                                                                                                                                                                                      SHA1:05BD67409F6A3FF88FFE57F366B283D01FE6C07A
                                                                                                                                                                                                                                      SHA-256:F6978EF467AC885F35F5EE6F761974CC486DD9CF12AA9178827FE86EC8550B6F
                                                                                                                                                                                                                                      SHA-512:EEA314D7B17E711DFB4AA4C871BD2EDDE5B152B8B19BDCBC9D311A1DF07EA2510A02983C9702C7AB9E839EED8A25BCCAF2AACAA15F78D9D905E452EB9E764336
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`............`.................................v...O.... ..................((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):710184
                                                                                                                                                                                                                                      Entropy (8bit):5.960661184398182
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:EBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUT:EBjk38WuBcAbwoA/BkjSHXP36RMGi
                                                                                                                                                                                                                                      MD5:E0CA09DECF6BCF9F12BF5AFE621889F9
                                                                                                                                                                                                                                      SHA1:CA79CF74CFBE9FFD2BC818995F6DC70DA29F2E92
                                                                                                                                                                                                                                      SHA-256:822C405144EF0E6D8005948EF59502FCED2B2ABB01B6010DFA5B08155B65D903
                                                                                                                                                                                                                                      SHA-512:63DCAD9130F7254500A0D11A9842D5884CBA626CFD08BBF0D0FB7014EAEB40D6FF4AF9DBE90A34E8769025D4F9719E0B6B9D9BB5E8C7EA46EE6EA06B58EA6AA1
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......J.....`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Buffers.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):22056
                                                                                                                                                                                                                                      Entropy (8bit):6.674556786635184
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:/y/fjFwUI/KQyVvKdDhG6ISDFWvYW8af0Nyb8E9VF6IYijSJIVxOqiPn:/uhMaVmzDC6k0EpYi60i
                                                                                                                                                                                                                                      MD5:B9FEB4A492B5DC72D17382371DCFE021
                                                                                                                                                                                                                                      SHA1:A4114182A2F8D2349BD8B43D61E0B50EE4A0FD9A
                                                                                                                                                                                                                                      SHA-256:CDEF6D4BFEB7A3BCADE96BC3009455D638370DE13D213CF496171B93508FE8FC
                                                                                                                                                                                                                                      SHA-512:731DD8DA749570A33C7B0BBA4C4CC6AE67B7910313AA3696F0F6A9D6EBF0F535F979567893E6A62BD7193424331D8A237EFBCB4F5E2EDFA6C25C0E2F6E27F027
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............((...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):64040
                                                                                                                                                                                                                                      Entropy (8bit):6.266505546281646
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:EYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1FHEpYi607zzY:EKC9niwOepJ6TJPeb6NIUFg76Kz8
                                                                                                                                                                                                                                      MD5:735C0F1B3DCB1E83A8C6298CE3354051
                                                                                                                                                                                                                                      SHA1:6DF695211488E5B324FDB5C96934D34226A760F5
                                                                                                                                                                                                                                      SHA-256:B805786E19100ED7896E8B29A0AE1E4C56562C3236DD1F0EF5338926C5FF87FD
                                                                                                                                                                                                                                      SHA-512:97A0A0C2F37B702731213DA3EBCEE9893571F54A9849CF07E620147B2E7EBE4E7095D95031DB4C0D2AF56FA2D1F1A76E06130D51CB117E6C5ADC4AA02DDE9E1F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@.......R....`.................................k...O....... ...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Memory.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):138280
                                                                                                                                                                                                                                      Entropy (8bit):6.178438711756712
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:UP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IJHd:Uh0qjC5RMOHO420kN12
                                                                                                                                                                                                                                      MD5:7C1E36B577AC6CE1790148F8A1DA8462
                                                                                                                                                                                                                                      SHA1:B221CE6727CAF2AA2DE2D3A320CC402AF69F2096
                                                                                                                                                                                                                                      SHA-256:BF0D85183BCFA66BA242B3E844F01A2069E7332C8CF24BEDE7DCFCAD9A3AEC57
                                                                                                                                                                                                                                      SHA-512:280F6AAAF9585B7F17390C21EC76AF4B33EDB29B1331AF78AE65891249CB233F2B42C726658EA37CDE4582C06C3AD8C5227272874186AB4E3A55D8BFB0B8CF74
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......$.....@.................................3...O.... ..0...............((...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):17960
                                                                                                                                                                                                                                      Entropy (8bit):6.637457135545288
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:rTO9dQWXYW8a6gNyb8E9VF6IYijSJIVxJF08l8y3:rCn6xYEpYi60k8iy3
                                                                                                                                                                                                                                      MD5:D8258B4140601E682A62B35D06A394FB
                                                                                                                                                                                                                                      SHA1:8EDD41B730DC3667E43C247C2384DBF9E648454C
                                                                                                                                                                                                                                      SHA-256:C89C3ED7B961F0318D780CD95E8758C577B08B168DE9DBDF444D1244CD89B65F
                                                                                                                                                                                                                                      SHA-512:BA07495C9C5852060F4D057F7F630D20B8C3D4C3612EE04B1947C8DF8EE3C1AA9821231FF0C3592978F8F9A9F4EAD03D92D11613388DED93DCA47506242124D8
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^...........!.................1... ...@....@.. ...............................]....@..................................1..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H........#......................P ......................................O..q.<.P$[p.;a<...Ci......K..!..&.d...FaLJ.....f..........w.E.E........(y...,.Lr..R..........T.z....5..;.. ....&V.=}.... .0.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):52264
                                                                                                                                                                                                                                      Entropy (8bit):6.161978276948053
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:vb0Koxa6kNbCGUThcuqdpN5BZMgWFv6Chh5GAEpYi60yL:n0VBqXNdM1v6sGJ76P
                                                                                                                                                                                                                                      MD5:A074F080BBC54559C13E01E35B436FEA
                                                                                                                                                                                                                                      SHA1:1D0B9B0EDFD2C4EE22D5BF6999A3EBC05231AF00
                                                                                                                                                                                                                                      SHA-256:A8141F1679C90062BE21CC569542404DDB112C435AFB6CB3E64CA8A11D6E8CF0
                                                                                                                                                                                                                                      SHA-512:4E1B6C46B8714F6F9E82B672D548A7DD1F73363199E3FF970389BDBA45870643D659C4489187515705324D4AEEDC331CFDB055F00AE413EDA4D9C38CC1458C53
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>.l..........." ..0.............B.... ........... ..............................q.....`....................................O.......................((..........4...8............................................ ............... ..H............text...H.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................!.......H........M..(l............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1140
                                                                                                                                                                                                                                      Entropy (8bit):4.958392223272386
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:JduPF7N8OH2//3dVhOXrRH2/dV0PH2/+w3VUrPH2/+789y:327iOgl27Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                      MD5:082A70376537A2E9B0BD9DFAD8D2496D
                                                                                                                                                                                                                                      SHA1:1B4A667CFB09D050614149D6FD8A283071DC890A
                                                                                                                                                                                                                                      SHA-256:50934981FA1B0066B22261984941887740838459B5CFA06846BA15F39B4D10F9
                                                                                                                                                                                                                                      SHA-512:763212C74B6AB727C6E2C19CA2CDFC547B357BD5E1E5C196A3A2598DCEB316D3C8E8554A7EDD1AFA99FD38E1153EDC383631D2755BB31E70236084CF27C49875
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedir

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\cachedSoftware.txt

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with very long lines (3860), with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):3860
                                                                                                                                                                                                                                      Entropy (8bit):5.604151589974578
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:HECI98IbX5aUphNBT/Sz/MHMdl/HaLHhIQdlzb1kIZKk:HEC088X5aUpH5/Sz/MHsdHkHhpdBb+s1
                                                                                                                                                                                                                                      MD5:742EED3AE5701B6A2B54837620AF484C
                                                                                                                                                                                                                                      SHA1:F64B6E719D31752BF6D70F175C7B1A4520DD2114
                                                                                                                                                                                                                                      SHA-256:69446754670BBA00BB84850B67C532B5D7285A74A3290507DBC96E908C7B6E45
                                                                                                                                                                                                                                      SHA-512:D26D9ADDB4C880769A550CA992775D873A3F7AF65FFE04D40793AAB117E6187A5F74367A51A2D8090EE70A15CB81892CED78F75BD332E51509401B74EC437D55
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:W3siUmVtb3ZlYWJsZSI6dHJ1ZSwiTmFtZSI6IjctWmlwICAoeDY0KSIsIlZlcnNpb24iOiIyMy4wMSIsIkluc3RhbGxlZE9uIjoiMjAyMy0xMC0wM1QwNjo1MToyOC40NTUzNDczLTA0OjAwIiwiUHVibGlzaGVyIjoiSWdvciBQYXZsb3YiLCJTaXplSW5CeXRlcyI6NTc4OTY5NiwiQXZhaWxhYmxlVmVyc2lvbiI6bnVsbCwiU3RhdHVzIjoiSW5zdGFsbGVkIiwiVGhpcmRQYXJ0eU5hbWUiOm51bGx9LHsiUmVtb3ZlYWJsZSI6dHJ1ZSwiTmFtZSI6IkFkb2JlIEFjcm9iYXQgKDY0LWJpdCkiLCJWZXJzaW9uIjoiMjMuMDA2LjIwMzIwIiwiSW5zdGFsbGVkT24iOiIyMDIzLTEwLTAzVDAwOjAwOjAwIiwiUHVibGlzaGVyIjoiQWRvYmUiLCJTaXplSW5CeXRlcyI6NjI2NzQ1MzQ0LCJBdmFpbGFibGVWZXJzaW9uIjpudWxsLCJTdGF0dXMiOiJJbnN0YWxsZWQiLCJUaGlyZFBhcnR5TmFtZSI6bnVsbH0seyJSZW1vdmVhYmxlIjpmYWxzZSwiTmFtZSI6IkF0ZXJhQWdlbnQiLCJWZXJzaW9uIjoiMS44LjcuMiIsIkluc3RhbGxlZE9uIjoiMjAyNC0wMi0yOFQxMDo1MjowNC0wNTowMCIsIlB1Ymxpc2hlciI6IkF0ZXJhIG5ldHdvcmtzIiwiU2l6ZUluQnl0ZXMiOjQ5MjAwNDgsIkF2YWlsYWJsZVZlcnNpb24iOm51bGwsIlN0YXR1cyI6Ikluc3RhbGxlZCIsIlRoaXJkUGFydHlOYW1lIjpudWxsfSx7IlJlbW92ZWFibGUiOmZhbHNlLCJOYW1lIjoiR29vZ2xlIENocm9tZSIsIlZlcnNpb24iOiIxMTcuMC41OTM4LjEzMiIsIkluc3RhbGxl

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\01-14-2025 13_35_10-log.txt

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):301
                                                                                                                                                                                                                                      Entropy (8bit):4.898878940140915
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6:tVb5kBm7ObCDL7fsDPV7gRQQgb5kBm7ObCDL7fsDPV7gRvgOBLy:pem717f8PV7UQQ6em717f8PV7Up9y
                                                                                                                                                                                                                                      MD5:F5ADB4BF688F888451346501914E801D
                                                                                                                                                                                                                                      SHA1:B7103D27E3A34C5EA878D342FEE1C317234274A7
                                                                                                                                                                                                                                      SHA-256:D3524D2EEFAD5EDD967349655A68F23475D7C78B5BD97731AAF7AB353F277245
                                                                                                                                                                                                                                      SHA-512:4B517B4260D8F67443E5B581AD4AC07EF819C46B7B2504ADA75E26049D09176548E30CD469501ABC9CA35F1FA62B6FB2FBE218F39A4D85D786F511BE39A5EE2B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\01-14-2025 13_35_10-log.txt, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...Enabled allowGlobalConfirmation..Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...0 packages installed...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\01-14-2025 13_35_11-log.txt

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):275
                                                                                                                                                                                                                                      Entropy (8bit):4.877907726544251
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6:tVb5kBm7ObCDL7fsDPV7gRoUvlwTS7v33LQ7mLLlGKACCWOKEe:pem717f8PV7UO+fo6BNVB
                                                                                                                                                                                                                                      MD5:DA74935F66150D0D5B81820876FB7CF6
                                                                                                                                                                                                                                      SHA1:72C2E449991D8AC8475D975278DA19E5ECD22602
                                                                                                                                                                                                                                      SHA-256:784F35617FF7C184384B9710C94709F9A55F3FABF51DC8A68C5429BC5A595E2D
                                                                                                                                                                                                                                      SHA-512:A37949ADC8B72F522CCE6875090585A47809E9CB3A269036BF2F318BE87AC189178DB2258410EC4EFADAA5E878074D027A6EE7FEB0C29827546270BD46CA904C
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\01-14-2025 13_35_11-log.txt, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...Outdated Packages.. Output is package name | current version | available version | pinned?......Chocolatey has determined 0 package(s) are outdated. ..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):6655016
                                                                                                                                                                                                                                      Entropy (8bit):6.267118093322128
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:98304:jCMEM0MUMRMxMwMkfqbjxbSzGVr4W11ByHY4W6upIjD:jlV1qKpkfqbjeGVr4NHYJ60iD
                                                                                                                                                                                                                                      MD5:C4AD1B5AFC9FC19605C1D18D32CF30A8
                                                                                                                                                                                                                                      SHA1:7950FC1B7E17E740F3B0F88CD746238A48ABF645
                                                                                                                                                                                                                                      SHA-256:27847B79721CDA829F662198CB36C053B458635BE3E85E9A9265BDF9D37B33C0
                                                                                                                                                                                                                                      SHA-512:38DC58B27393488DF69A3378AB2BC250367186912FC4F7D9D3A3AD1C882763F36E22E2FB2056CEF345B4C13A2930D9A16E556054593577DCEBE5D71258120B4B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Db........... ......c..........c.. ....c...@.. ........................e.....V!f...@...................................c.L.....c..............de.((....e.......c...............................................c.............. ..H............text...w.c.. ....c................. ..`.rsrc.........c.......c.............@..@.reloc........e......be.............@..B................H.........A...!.........H....3..........................................0..T.......r...p...o......9,....s......o......o.....o..........9.....o...........9.....o......*.........3..........7E......"..o....*...b.:....~....*.o....(....*....0..s........:....~....*.o......9......i:....~....*.~....:...........s.........~....(...+~....:...........s.........~....(...+*.....6..r...p(....*.."..(....*...:.(......}....*..0..+.......s.2.....}.....r...pr...p... 2..s....o....&*......0..{........o..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (495), with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):9382
                                                                                                                                                                                                                                      Entropy (8bit):4.897728965151623
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:rwhyxWvf7L6ZaBbrzRmXBzCWKZD68NJ+IK2E8V1ExAuVXI4n7rJ+ZXVx:sjL6ZiHt6B+WshDK2EiEJ7lEFx
                                                                                                                                                                                                                                      MD5:14FFCF07375B3952BD3F2FE52BB63C14
                                                                                                                                                                                                                                      SHA1:AB2EADDE4C614EB8F1F2CAE09D989C5746796166
                                                                                                                                                                                                                                      SHA-256:6CCFDB5979E715D12E597B47E1D56DB94CF6D3A105B94C6E5F4DD8BAB28EF5ED
                                                                                                                                                                                                                                      SHA-512:14A32151F7F7C45971B4C1ADFB61F6AF5136B1DB93B50D00C6E1E3171E25B19749817B4E916D023EE1822CAEE64961911103087CA516CF6A0EAFCE1D17641FC4
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<chocolatey xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <config>.. <add key="cacheLocation" value="" description="Cache location if not TEMP folder. Replaces `$env:TEMP` value for choco.exe process. It is highly recommended this be set to make Chocolatey more deterministic in cleanup." />.. <add key="containsLegacyPackageInstalls" value="true" description="Install has packages installed prior to 0.9.9 series." />.. <add key="commandExecutionTimeoutSeconds" value="2700" description="Default timeout for command execution. '0' for infinite (starting in 0.10.4)." />.. <add key="proxy" value="" description="Explicit proxy location. Available in 0.9.9.9+." />.. <add key="proxyUser" value="" description="Optional proxy user. Available in 0.9.9.9+." />.. <add key="proxyPassword" value="" description="Optional proxy password. Encrypted. Available in 0.9.9.9+." />.. <add key

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config.2692.update

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (495), with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):9382
                                                                                                                                                                                                                                      Entropy (8bit):4.897728965151623
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:rwhyxWvf7L6ZaBbrzRmXBzCWKZD68NJ+IK2E8V1ExAuVXI4n7rJ+ZXVx:sjL6ZiHt6B+WshDK2EiEJ7lEFx
                                                                                                                                                                                                                                      MD5:14FFCF07375B3952BD3F2FE52BB63C14
                                                                                                                                                                                                                                      SHA1:AB2EADDE4C614EB8F1F2CAE09D989C5746796166
                                                                                                                                                                                                                                      SHA-256:6CCFDB5979E715D12E597B47E1D56DB94CF6D3A105B94C6E5F4DD8BAB28EF5ED
                                                                                                                                                                                                                                      SHA-512:14A32151F7F7C45971B4C1ADFB61F6AF5136B1DB93B50D00C6E1E3171E25B19749817B4E916D023EE1822CAEE64961911103087CA516CF6A0EAFCE1D17641FC4
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<chocolatey xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <config>.. <add key="cacheLocation" value="" description="Cache location if not TEMP folder. Replaces `$env:TEMP` value for choco.exe process. It is highly recommended this be set to make Chocolatey more deterministic in cleanup." />.. <add key="containsLegacyPackageInstalls" value="true" description="Install has packages installed prior to 0.9.9 series." />.. <add key="commandExecutionTimeoutSeconds" value="2700" description="Default timeout for command execution. '0' for infinite (starting in 0.10.4)." />.. <add key="proxy" value="" description="Explicit proxy location. Available in 0.9.9.9+." />.. <add key="proxyUser" value="" description="Optional proxy user. Available in 0.9.9.9+." />.. <add key="proxyPassword" value="" description="Optional proxy password. Encrypted. Available in 0.9.9.9+." />.. <add key

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config.backup (copy)

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (495), with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):9382
                                                                                                                                                                                                                                      Entropy (8bit):4.897728965151623
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:rwhyxWvf7L6ZaBbrzRmXBzCWKZD68NJ+IK2E8V1ExAuVXI4n7rJ+ZXVx:sjL6ZiHt6B+WshDK2EiEJ7lEFx
                                                                                                                                                                                                                                      MD5:14FFCF07375B3952BD3F2FE52BB63C14
                                                                                                                                                                                                                                      SHA1:AB2EADDE4C614EB8F1F2CAE09D989C5746796166
                                                                                                                                                                                                                                      SHA-256:6CCFDB5979E715D12E597B47E1D56DB94CF6D3A105B94C6E5F4DD8BAB28EF5ED
                                                                                                                                                                                                                                      SHA-512:14A32151F7F7C45971B4C1ADFB61F6AF5136B1DB93B50D00C6E1E3171E25B19749817B4E916D023EE1822CAEE64961911103087CA516CF6A0EAFCE1D17641FC4
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<chocolatey xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <config>.. <add key="cacheLocation" value="" description="Cache location if not TEMP folder. Replaces `$env:TEMP` value for choco.exe process. It is highly recommended this be set to make Chocolatey more deterministic in cleanup." />.. <add key="containsLegacyPackageInstalls" value="true" description="Install has packages installed prior to 0.9.9 series." />.. <add key="commandExecutionTimeoutSeconds" value="2700" description="Default timeout for command execution. '0' for infinite (starting in 0.10.4)." />.. <add key="proxy" value="" description="Explicit proxy location. Available in 0.9.9.9+." />.. <add key="proxyUser" value="" description="Optional proxy user. Available in 0.9.9.9+." />.. <add key="proxyPassword" value="" description="Optional proxy password. Encrypted. Available in 0.9.9.9+." />.. <add key

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\ChocolateyTabExpansion.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (965), with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):12946
                                                                                                                                                                                                                                      Entropy (8bit):5.132019659587194
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:ctpHjcTfbZO0g2ZyAvGZkAsoXCxAziDR/67E4Pb:ctpDBCvGZkAsCCxAziDR/sF
                                                                                                                                                                                                                                      MD5:0BB54C9DA241E0EAAFB6C976AC07EAA7
                                                                                                                                                                                                                                      SHA1:045808C9106A4C356AB15A2D8680FDB737DC98A6
                                                                                                                                                                                                                                      SHA-256:071CE6FCE85051E373C1B05BB82A92FFB8BEBF34C768B7A2F6E809000A78479F
                                                                                                                                                                                                                                      SHA-512:C118C9FEC5903D1F2F6A6FA070130FCEBAAD70AF3459DA82069C5C8ED3D66CEE374C098C6247CCD528187B6856FAA458EBBD8B6F2C0C68C2A5B8EF32C2D7CD75
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....# Ideas from the Awesome Posh-Git - https://github.com/dahlbyk/posh-git..# Posh-Git License - https://github.com/dahlbyk/posh-git/blob/1941da2472eb668cde2d6a5fc921d5043a024386/LICENSE.txt..# http://www.jeremyskinner.co.uk/2010/03/07/using-git-with-windows-powershell/....$Global:ChocolateyTabSettings = New-Object PSObject -P

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\chocolateyInstaller.psm1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):3903
                                                                                                                                                                                                                                      Entropy (8bit):4.986280475081154
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:cSyL+4pGXHFKoqWJBYc4R2wf3TQJb3jl7t3iv:cSyL+QGXHMWJB7VFUv
                                                                                                                                                                                                                                      MD5:1CF35331F337493A5B5B8C482E32B507
                                                                                                                                                                                                                                      SHA1:149D5B5ABB4FF20CFAA333946BAAEC6B8EFA5630
                                                                                                                                                                                                                                      SHA-256:CCF763934E3801002C260246316DF70C64C66E7721C24B300C634567F5885A39
                                                                                                                                                                                                                                      SHA-512:03652CA25D2A78860F735B57600B940D2723DD23E24A2632D5CA76DBFACBF95CD1090428FB6AC23BF945AB20C1C201155CF26161361853DB94A5D85AE753C0A1
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....$helpersPath = Split-Path -Parent $MyInvocation.MyCommand.Definition....$global:DebugPreference = "SilentlyContinue"..if ($env:ChocolateyEnvironmentDebug -eq 'true') {.. $global:DebugPrefe

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\chocolateyProfile.psm1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1178
                                                                                                                                                                                                                                      Entropy (8bit):5.161789340951933
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:cSyJ3554IpgyZA0SU0E+SlHQk1GpsLAjQSDg6pucReEe7:cSyX54pyFd0AlH31KoLKRed
                                                                                                                                                                                                                                      MD5:610AD6370C8DACB3861200B8827DF768
                                                                                                                                                                                                                                      SHA1:E6831DF0C1ADB4664BDE6D2D48DCE28CC1918A83
                                                                                                                                                                                                                                      SHA-256:B06996C9A26663FCF41B2406D12C4597075AB7F94CDD320EEE64EAC9AEA95DFD
                                                                                                                                                                                                                                      SHA-512:C3A30128443E47D5D38CFD8C989E8317668EEDA6B4E85BEE94B76034479DEC0BED4C980ACD797153259CF0DF2807E79C3B3F4AAADF21E255A35BBDBE2F2E16E9
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# ..# You may obtain a copy of the License at..# ..# http://www.apache.org/licenses/LICENSE-2.0..# ..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....if (Get-Module chocolateyProfile) { return }....$thisDirectory = (Split-Path -parent $MyInvocation.MyCommand.Definition)..... $thisDirectory\functions\Write-FunctionCallLogMessage.ps1... $thisDirectory\functions\Get-EnvironmentVariable.ps1... $thisDirectory\functions\Get-EnvironmentVariableNames.ps1... $thisDirectory\fun

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\chocolateyScriptRunner.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2892
                                                                                                                                                                                                                                      Entropy (8bit):5.176658574720988
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:RkBibyQwcYIRQcRwAshP5l8kRMCpEMwK/JvoPEY0nzWBIxjO0L5E8bWHtt6rh4:eiAc5HGAshhCQMChR/JsZYzWBeO85Ecm
                                                                                                                                                                                                                                      MD5:EF32E09F41D2F8234E4482C6B52FFFB1
                                                                                                                                                                                                                                      SHA1:446185592825F7B7894CC5A9E2FCB4F015B9E810
                                                                                                                                                                                                                                      SHA-256:ACC5E8AB085FDD00B1C333853D74B1EC15777212A435C2DE8B56A490BE07103C
                                                                                                                                                                                                                                      SHA-512:7273DE65F571C4302BAC73C3FA3AEBDB7887B923EABAC10457C2A2C329B67979726440ED0C5E190C7728676D9382D4C8E2F4D030336630BC82AC7AE2FB20B58F
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.param(.. [alias("ia","installArgs")][string] $installArguments = '',.. [alias("o","override","overrideArguments","notSilent")].. [switch] $overrideArgs = $false,.. [alias("x86")][switch] $forceX86 = $false,.. [alias("params","parameters","pkgParams")][string]$packageParameters = '',.. [string]$packageScript..)....$global:DebugPreference = "SilentlyContinue"..if ($env:ChocolateyEnvironmentDebug -eq 'true') { $global:DebugPreference = "Continue"; }..$global:VerbosePreference = "SilentlyContinue"..if ($env:ChocolateyEnvironmentVerbose -eq 'true') { $global:VerbosePreference = "Continue"; $verbosity = $true }....Write-Debug '---------------------------Script Execution---------------------------'..Write-Debug "Running 'ChocolateyScriptRunner' for $($env:packageName) v$($env:packageVersion) with packageScript `'$packageScript`', packageFolder:`'$($env:packageFolder)`', installArguments: `'$installArguments`', packageParameters: `'$packageParameters`',"....## Set the culture to invar

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Format-FileSize.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1751
                                                                                                                                                                                                                                      Entropy (8bit):5.27319452124258
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:cSyJ3554IpXAAyU0E+SlHQk1GpsLAKFoYlMp9TlxNAZiTxGEXL5FGX/OFchWoCah:cSyX54q90AlH31Koyh9xnFVVc/4oqPli
                                                                                                                                                                                                                                      MD5:12E0A95C9BD0A49DA769C2927C648DFB
                                                                                                                                                                                                                                      SHA1:33174164C23D10B43E26CEE56E1A6FB60E8D9F4D
                                                                                                                                                                                                                                      SHA-256:3A2A002BD7213ECCE52FB82C470B824770A11DEB0A33DDB319A24824CE4676DA
                                                                                                                                                                                                                                      SHA-512:D19E22031409B216A10815FE606852712EF0136B9056541774DC66AE9C57994DE5A667AE1F925D547D1BCCF6AE9221D939F7CE2BFC87ABC98C634858E1CCAA7B
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....Function Format-FileSize {..<#...SYNOPSIS..DO NOT USE. Not part of the public API......DESCRIPTION..Formats file size into a human readable format......NOTES..Available in 0.9.10+.....This function is not part of the API......INPUTS..None.....OUTPUTS..Returns a string representation of the file size in a more friendly..form

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-CheckSumValid.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (505), with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):11504
                                                                                                                                                                                                                                      Entropy (8bit):5.008896354130034
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:cSyL+QGXHpi+o8HrDe07ZUWKVjakELFiuPOizDIinqSQ/fa:ctL+QGwKS07ZUOZPpDDyfa
                                                                                                                                                                                                                                      MD5:9443CB695D075DAA7DE91510A1E35C14
                                                                                                                                                                                                                                      SHA1:7676604D3C1F0BD26632DC41FCF1310908D422C6
                                                                                                                                                                                                                                      SHA-256:7095FB2F3F44FEE977D3B53DEE93B952D04325108B090F5F7E8503F758C27F18
                                                                                                                                                                                                                                      SHA-512:2D0B8C3345B6573F56A54D357BB700D83B3AB5A40DED0AA2DC5A40DAC0523DB86BBC5BAA10CB3B4B1785123B8F32CEC5A86F350AF315A2BFF6885C08BD77758F
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-ChecksumValid {..<#...SYNOPSIS..Checks a file's checksum versus a passed checksum and checksum type......DESCRIPTION..Makes a determination if a file meets an expected checksum s

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyUnzip.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):10482
                                                                                                                                                                                                                                      Entropy (8bit):5.191184135569746
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:cSyL+QGXHphcdudY/xIVBO6zgV6ZlR86nFTDzH0sQsPbnJ8Yc9bTp05va:ctL+QGTqudY/xcBOSt3XHRJNva
                                                                                                                                                                                                                                      MD5:F740F29F0AC79C7E5BA69B1CF3E6DC74
                                                                                                                                                                                                                                      SHA1:8F609B5BDCCE295AEF29011858B31608D26E8E04
                                                                                                                                                                                                                                      SHA-256:550231F4568914C786BF3BDE0FF4897DCE761084D33CFA6D8FD462B34A779D88
                                                                                                                                                                                                                                      SHA-512:FC567A01086E8E6A55AAD1E3AEA0E9639E2F8C03399728A5421214E1E0CBF726A7D0F7422EBE3CE74C226F27C11C051760CDAD2AFBB5E69294152669929AB05A
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-ChocolateyUnzip {..<#...SYNOPSIS..Unzips an archive file and returns the location for further processing......DESCRIPTION..This unzips files using the 7-zip command line tool 7z.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyWebFile.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16502
                                                                                                                                                                                                                                      Entropy (8bit):5.146477219224201
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:cSyL+QGXHpWybOWetWKW3VjEve49W9cO1kazvJwKEDbrj:ctL+QGPnetZ2EvXOlybrj
                                                                                                                                                                                                                                      MD5:CD302EF4E080D330A9DEAFA584C049AB
                                                                                                                                                                                                                                      SHA1:53B98CD3540A35FF32E1E6DDA2BB3F786FAE23ED
                                                                                                                                                                                                                                      SHA-256:3E18EB6CF646474E9259E932679E04DF1CC4322E2E354A770F32A0F7D67C72A4
                                                                                                                                                                                                                                      SHA-512:B0D74A92DFB16CBE799C781CAD2702C6932BA5B15A28EE5AF2FB56A4CFA4317B2347AF227A9484A0536CC95674CFBB89343E3955C2457AFD0D23854963D85BFC
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-ChocolateyWebFile {..<#...SYNOPSIS..Downloads a file from the internets......DESCRIPTION..This will download a file from a url, tracking with a progress bar...It returns the file

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariable.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):4123
                                                                                                                                                                                                                                      Entropy (8bit):5.288017280806032
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:cSyL+4pGXHFKotzWfp1Vr4MeAWMK13MqhPTv6ee5:cSyL+QGXH3Gp1VrSAQ3Mqg
                                                                                                                                                                                                                                      MD5:E564E914B196DAC040D08110D5D8718D
                                                                                                                                                                                                                                      SHA1:2532E9010D3A67A6FF345F2564A843800DC59CBB
                                                                                                                                                                                                                                      SHA-256:5AF7D3DC6B44142492B9E31A69352873D43D570D7D4718B2942A67D3D6180951
                                                                                                                                                                                                                                      SHA-512:06127E83C2BBDA160183D3DC5E51E652E2011C760B561DA639BDF847F085DB3E93E3C5F0B5C12C1114D228C3882E0FBC81418CF9CAA3C04FA837CE0A68574EFF
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-EnvironmentVariable {..<#...SYNOPSIS..Gets an Environment Variable......DESCRIPTION..This will will get an environment variable based on the variable name..and scope while accoun

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariableNames.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2060
                                                                                                                                                                                                                                      Entropy (8bit):5.165746374691896
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:cSyL+4pe90AlH31KoMfcM1KIcoCtJS0RjhYigLiO:cSyL+4pGXHFKovCZWdQ
                                                                                                                                                                                                                                      MD5:D4DF76AC88518CA76BD5EC4605C55781
                                                                                                                                                                                                                                      SHA1:8B540089E4B1AF183CF9D8053043BD4252A8B2BB
                                                                                                                                                                                                                                      SHA-256:F73E30026DC59EF1B1375FE869347BAE2E02BDC51117E17DD2717E7DE7F712F6
                                                                                                                                                                                                                                      SHA-512:BC37855DDEEF6BD3BECA66109F3EBE09B82409DD8EB1B6DEFC1ADCCEA397356FB521BC22CA8B7D34A418EB6EAAC1E9B277CBD333251A149C46E104980FBF3071
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-EnvironmentVariableNames([System.EnvironmentVariableTarget] $Scope) {..<#...SYNOPSIS..Gets all environment variable names......DESCRIPTION..Provides a list of environment variabl

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-FtpFile.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):7947
                                                                                                                                                                                                                                      Entropy (8bit):5.051645140778019
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:3SfwB1bbVPeBlvvJ5nli61sre8+007Oc+pbkmzqMd0yiW:3SfwHBgPd04OHpb3yW
                                                                                                                                                                                                                                      MD5:15DDE6C604B0BD3A0C1F569BAAC9B91B
                                                                                                                                                                                                                                      SHA1:9366C80608BB20A9CFD84AD574D561E481F9B0B8
                                                                                                                                                                                                                                      SHA-256:12FA2C7D770F0AF308D535A3523903F730A2121B2C72D05A9EA7BF9E5AA27C72
                                                                                                                                                                                                                                      SHA-512:B2DFDC3BC98ADE4486A0CC30E3124F16F9788D6DD8214DF4C6460FE818CFC645EF36FAF03AC99490D0BFEA6A0FDA8646845E9A23C464B13C486E8C8677913339
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.## Get-FtpFile..##############################################################################################################..## Downloads a file from ftp..## Some code from http://stackoverflow.com/questions/265339/whats-the-best-way-to-automate-secure-ftp-in-powershell..## Additional functionality emulated from http://poshcode.org/417 (Get-WebFile)..## Written by Stephen C. Austin, Pwnt & Co. http://pwnt.co..##############################################################################################################..## Additional functionality added by Chocolatey Team / Chocolatey Contributors..## - Proxy..## - Better error handling..## - Inline documentation..## - Cmdlet conversion..## - Closing request/response and cleanup..## - Request / ReadWriteResponse Timeouts..##############################################################################################################..function Get-FtpFile {..<#...SYNOPSIS..Downloads a file from a File Transfter Protocol (FTP) l

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-OSArchitectureWidth.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2930
                                                                                                                                                                                                                                      Entropy (8bit):5.220783998189862
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:cSyL+4pe90AlH31KoMBigsroWdBWuzonabOsEahaqTtYkkdrO57XMp0o3jMoF7d3:cSyL+4pGXHFKoySxwn0zhaqT6r8Bo3j9
                                                                                                                                                                                                                                      MD5:5CE49B0DAF505DBCDA1D6E3B21FCCE88
                                                                                                                                                                                                                                      SHA1:68B5493F4C79FA198269A211B4B3A981FE06CEBA
                                                                                                                                                                                                                                      SHA-256:94DC6FBE584FE5DA6333E44F4F0EFA88254A7F78EAC1DE593683A50F33EECD96
                                                                                                                                                                                                                                      SHA-512:580AF8026407DC485BDFBDED106CF3DFD778A900504BF5A66AE1B14C9A1A7F1F80E7E888A26B42446091D40B61E4F3250E3D1CBD661C3557B05A3275E9522545
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-OSArchitectureWidth {..<#...SYNOPSIS..Get the operating system architecture address width......DESCRIPTION..This will return the system architecture address width (probably 32 or

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-PackageParameters.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):7233
                                                                                                                                                                                                                                      Entropy (8bit):5.212503071724739
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:cSyhrzQGXHHyN604JEtV/OyU/rFPV/LA+N/IwX/G3:cthrzQGA4JEArFPZLAkIwX8
                                                                                                                                                                                                                                      MD5:5CB5EC1EFD682DB6B436388E63841227
                                                                                                                                                                                                                                      SHA1:15234AFA9F45671CC89DF05DF9371F125213F5CE
                                                                                                                                                                                                                                      SHA-256:F34917832A7347060BC1B8DCDD05FD4E5AA1672DBFA6A81DBABE9A978AD4B3A2
                                                                                                                                                                                                                                      SHA-512:9E7D279B3CF9D737F2D114085FCBBD6AD13F681BF1365109AD20D9998EF20EA28E7703337E12BA5F350BE4CC37B35E5C7A7ED57FF45896D40B3F628672ED2096
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2016 - 2017 Original authors from https://github.com/chocolatey/chocolatey-coreteampackages..# Copyright . 2016 Miodrag Mili. - https://github.com/majkinetor/au-packages/commit/bf95d56fe5851ee2e4f6f15f79c1a2877a7950a1..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....# special thanks to the Core Community Maintainers team and their work..# on the Get-PackageParameters function that is in the..# `chocolatey-core.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ToolsLocation.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (333), with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):3761
                                                                                                                                                                                                                                      Entropy (8bit):4.908858016895155
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:cSyp4pGXHFKo/jFKv+Q/IT00CSZL5eFYE/:cSypQGXHNRKvGT06L5eFYk
                                                                                                                                                                                                                                      MD5:D248C571C9B745CD77B6FF016245AFDA
                                                                                                                                                                                                                                      SHA1:476E0532FA0972690A43C1227C1E50FED6916064
                                                                                                                                                                                                                                      SHA-256:64CA4E5DF3587448659E052FACF69D47DAB48845929A1D21C386812DEE25285D
                                                                                                                                                                                                                                      SHA-512:114DF561CFD26AEB535B7804AE5C978F1850EA07F609C502BC745683229E06FB7AD76F04F610CC2A2CE4890FCAFC089202BD96BCA146745CCC6226E0FD63C91E
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-ToolsLocation {..<#...SYNOPSIS..Gets the top level location for tools/software installed outside of..package folders......DESCRIPTION..Creates or uses an environment variable that a user can control to..communicate with packages about where they would like software that is..not installed through native installer

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-UACEnabled.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1891
                                                                                                                                                                                                                                      Entropy (8bit):5.216117200464903
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:cSyL+4pe90AlH31KoMo/f0n9WZH78+0tJwHKlkn:cSyL+4pGXHFKozeM6+0kHEkn
                                                                                                                                                                                                                                      MD5:D7810321DDE3F67CCD37E6280D9FC5EA
                                                                                                                                                                                                                                      SHA1:052053BEE38A1F79785B40290CC872E4540D6331
                                                                                                                                                                                                                                      SHA-256:AC936BF04E1890321EEFC321A82F353BECA22633EB0F72DC497F8CF5F45EC99C
                                                                                                                                                                                                                                      SHA-512:F365E429C4D013D8C0394575FBEC031AFD03991FC8019860795EC3D8DD7CAB8D43C539FCAED0A04C5C6979E5046166CAD5E2F8D6A3CD5688D78AB17411C0BEDE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-UACEnabled {..<#...SYNOPSIS..Determines if UAC (User Account Control) is turned on or off......DESCRIPTION..This is a low level function used by Chocolatey to decide whether..pro

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-UninstallRegistryKey.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):6009
                                                                                                                                                                                                                                      Entropy (8bit):5.183782879831246
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:cSyp4aXHFKo+l0Y9WqbUqcN1bLZAiwSVg2SHBjqmnn3seTIIe8bMH/g4F267rTli:cSypHXHyJvIXN1miVVoTIyJ6rT25
                                                                                                                                                                                                                                      MD5:8BDD492FD645ABC85E1A76BFB3BB9306
                                                                                                                                                                                                                                      SHA1:0B84BACF023719AAF1F52544FDA4B1542E3FBD5D
                                                                                                                                                                                                                                      SHA-256:2F11852DCC6C4C45BAA7355A5ABA501846A96DA75B0332A5347D382D876F94C8
                                                                                                                                                                                                                                      SHA-512:D9B1E7457B71F0DD930C7DD10076FCCB75E2F6AE6E7129FC417F629DE63C34B8448D7F52D733B476BBAC39C2A758444F462CA8839987C6E3C178C592F6212EEB
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-UninstallRegistryKey {..<#...SYNOPSIS..Retrieve registry key(s) for system-installed applications from an..exact or wildcard search......DESCRIPTION..This function will attempt to retrieve a matching registry key for an..already installed application, usually to be used with a..chocolateyUninstall.ps1 automatio

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-VirusCheckValid.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1815
                                                                                                                                                                                                                                      Entropy (8bit):5.188333753523367
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:cSy93R2O+4Ipg8AQyU0E+SlHQk1GpsLA9NIrd+aL85TiV+hT0hCmTxGz1echWtLt:cSyL+4pe90AlH31KoMCoaYp4AmVMMth
                                                                                                                                                                                                                                      MD5:FE5456E477F7D5131DD448942A3AD961
                                                                                                                                                                                                                                      SHA1:C8FDE141D6D5E6713A13C2A6DF55A07E2BB187E5
                                                                                                                                                                                                                                      SHA-256:88D9BA7C04A62D34EDB6A913CE00463FBDC82A2986AC9F459E04B75BC1728922
                                                                                                                                                                                                                                      SHA-512:261AA5F14F8A98638869A509844ECDEE1286B97B131D89A3B901AC2B40F09066CBC1C073D32DDE3EA160FB2C2F971BA0D6785981C6C180BEC5DC4F0D6029421E
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-VirusCheckValid {..<#...SYNOPSIS..Used in Pro/Business editions. Runtime virus check against downloaded..resources......DESCRIPTION..Run a runtime malware check against downloade

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-WebFile.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):12827
                                                                                                                                                                                                                                      Entropy (8bit):5.065872919066253
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:eBbyvHpL71ZxDlVWfYuuiy5nevc/n30zrryM3zE2LoQY+VUqZA:eBgptZxOQt10zrryMFLdYWU6A
                                                                                                                                                                                                                                      MD5:76013037F6A0E623C39D9D07C20D3BAE
                                                                                                                                                                                                                                      SHA1:7DC87082B4D2AB36AB08D6826CA209E2CD7C5694
                                                                                                                                                                                                                                      SHA-256:8FCCA5AA5F0F631FBE9D319EB13C5A282F5DBC1D8D4BC0852021BE0524A6DD39
                                                                                                                                                                                                                                      SHA-512:9D92B42EEBEE276522103D23EF646DFEC32630E97673B816F51841948C6DD9DA89A89B897D515CFFECED7D14174EF83110FFA4B0BA9F64E1738F083592E696F0
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# http://poshcode.org/417..## Get-WebFile (aka wget for PowerShell)..##############################################################################################################..## Downloads a file or page from the web..## History:..## v3.6 - Add -Passthru switch to output TEXT files..## v3.5 - Add -Quiet switch to turn off the progress reports .....## v3.4 - Add progress report for files which don't report size..## v3.3 - Add progress report for files which report their size..## v3.2 - Use the pure Stream object because StreamWriter is based on TextWriter:..## it was messing up binary files, and making mistakes with extended characters in text..## v3.1 - Unwrap the filename when it has quotes around it..## v3 - rewritten completely using HttpWebRequest + HttpWebResponse to figure out the file name, if possible..## v2 - adds a ton of parsing to make the output pretty..## added measuring the scripts involved in the command, (uses Tokenizer)..#####################

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-WebFileName.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):9247
                                                                                                                                                                                                                                      Entropy (8bit):5.07010917787166
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:cSypQGXHQybOdQVeBAmZZ8mumtrUy5nF2wnK0u/obu5OyDucYhr:ctpQG3G1vPS0uQZ2uH
                                                                                                                                                                                                                                      MD5:CCEF9317BA6E4AD2C5F9ADA169DE64E3
                                                                                                                                                                                                                                      SHA1:0B03F562CC75CDFB7CC184DA8B8E6BA73A6256A7
                                                                                                                                                                                                                                      SHA-256:1D10AEC25CE4A010B338041862F485BDA47494A3A0EE154BBA49F48BCFCF0D68
                                                                                                                                                                                                                                      SHA-512:922BCEFDCC76A32EE81AB0610BA1E256A228075084DE5A85F11D3B67D62F496A86BD59BE3AA5E00EC24E5A2805AD4199D5D38CD05D92D1BBC43F333FBE924D30
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License...#..# Based on http://stackoverflow.com/a/13571471/18475....function Get-WebFileName {..<#...SYNOPSIS..Gets the original file name from a url. Used by Get-WebFile to determine..the original file name for a file......DESCRIPTION..Uses several techniques to determine the original file name of the file..based on the url for the fi

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-WebHeaders.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):5960
                                                                                                                                                                                                                                      Entropy (8bit):5.140316008573171
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:cSyL+4pGXHFKovnYWHVjmlvr79s5nFUFwlmiZn28HeheXeGYDXSqVR2vRtktvS:cSyL+QGXH2QVqlvr7y5nFDXnw0ud3Q
                                                                                                                                                                                                                                      MD5:510D813D8B844FA9ABCF1CF8B294CE83
                                                                                                                                                                                                                                      SHA1:B733C7BC5B1EA00C27895DE8BFB337183D9335E1
                                                                                                                                                                                                                                      SHA-256:58C4E3DE6F018A33E4952AF35EFCCC0B688F1170F733CC10E2C32A33F11A9123
                                                                                                                                                                                                                                      SHA-512:3D3DA339A6B9CAC75CB940B573703BBA5782D22918637D4399636F0F2787436920D6965F2165E294C68107905D556F115CD8416C97A18B12B7F0207CD7721AAC
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-WebHeaders {..<#...SYNOPSIS..Gets the request/response headers for a url......DESCRIPTION..This is a low-level function that is used by Chocolatey to get the..headers for a reque

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-BinFile.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):6283
                                                                                                                                                                                                                                      Entropy (8bit):5.232086061865062
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:cSyL+QGXHN0Vk7arlCnBVV+7oc9KYjWndTmw:ctL+QG05rlwguh
                                                                                                                                                                                                                                      MD5:5617A2B6826D73A80E864B42A3404E72
                                                                                                                                                                                                                                      SHA1:61522560BF997DD79C6649F0C1D198510E19430F
                                                                                                                                                                                                                                      SHA-256:9FC392C4558C2579517F24D945D8E1741EB4A5D7893E4E2DCA6CA756443AB328
                                                                                                                                                                                                                                      SHA-512:B4EA54386B427AC314854AE3584EBF7AEB9E178026346917B05249A28CF831FBD7F87D12CCF56F00DA9C4F55ABC7324E69C4AB9B367258AC2F35960BAFEFADF3
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-BinFile {..<#...SYNOPSIS..Creates a shim (or batch redirect) for a file that is on the PATH......DESCRIPTION..Chocolatey installs have the folder `$($env:ChocolateyInstall)\b

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyEnvironmentVariable.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):4293
                                                                                                                                                                                                                                      Entropy (8bit):5.147557599553147
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:cSyL+4pGXHFKooCb/InyxVkR8PIoIxAETBXSYG:cSyL+QGXHeCjIGVo8qXSYG
                                                                                                                                                                                                                                      MD5:06FC3CDC03EC16E85CE73D558D58742B
                                                                                                                                                                                                                                      SHA1:C73F95322D853B964AD241CD9B1EFD1A6AF8B101
                                                                                                                                                                                                                                      SHA-256:E6E24F83FDA53709F7EA93F73533314156F1DA0B028FC7BD063BA1720D1A6ADA
                                                                                                                                                                                                                                      SHA-512:A1BB72C33CC1544432B6E4A3317843331ECB70D954DBFC195A3A6AD3FDF18280F807BF2A9DEC06D036111A46062EE04A87C2D315F4E895D2C7F2DAAF6B4CB48A
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyEnvironmentVariable {..<#...SYNOPSIS..**NOTE:** Administrative Access Required when `-VariableType 'Machine'.`....Creates a persistent environment variable......DES

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyExplorerMenuItem.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):4549
                                                                                                                                                                                                                                      Entropy (8bit):5.216765809932499
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:cSyL+4pGXHFKobx0W2Pq44GGVq/r6ck8Tr6ck012gMe5RDJRmR0GRSd:cSyL+QGXHBx03x4rVqDQ8vQubL5HItUd
                                                                                                                                                                                                                                      MD5:D283FDF0627E77F4745CE26CBB134DDB
                                                                                                                                                                                                                                      SHA1:D41419D3F8DC3F22B37E5CDE1090CF19879F8466
                                                                                                                                                                                                                                      SHA-256:C4292F8767BD7E74E85C4AABCDB9EB0ED3B564693AAC1F568EB02FF7529DF027
                                                                                                                                                                                                                                      SHA-512:A14822AEC4351C106325F1403F79DF444CB53C03CB09AE0FF15169CEC821102A11186B321F9FE8CEFC35932FE02A874E984EECADDA3EC5DCA52AB7EDEE9DB1F4
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyExplorerMenuItem {..<#...SYNOPSIS..**NOTE:** Administrative Access Required.....Creates a windows explorer context menu item that can be associated with..a command.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyFileAssociation.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):3080
                                                                                                                                                                                                                                      Entropy (8bit):5.192518177403395
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:cSyL+4pGXHFKoognbqHdyVO6ckUf1eg9DgH:cSyL+QGXHqgnydyVOQUf1eg9DgH
                                                                                                                                                                                                                                      MD5:44D634D52E391B61FEA2B3311FD130C4
                                                                                                                                                                                                                                      SHA1:AC5184FA6552AD3D2D58EBD53563ED3238E089FF
                                                                                                                                                                                                                                      SHA-256:22FA3870EC2455426BD2BA94B5DC82C241D16F1DBD1AC6979787E947B39563AE
                                                                                                                                                                                                                                      SHA-512:53F5C0D5865DA75816B663CDD4279938401498416A2AD4FD4A7667CC93042D4FBCBC7B2F2F1FD3864CFADBC73908730C6EC7761A77207511861CB277AF8DBF59
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyFileAssociation {..<#...SYNOPSIS..**NOTE:** Administrative Access Required.....Creates an association between a file extension and a executable......DESCRIPTION..In

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyInstallPackage.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):14313
                                                                                                                                                                                                                                      Entropy (8bit):5.166123502608628
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:ctL+QGm9UIirNuMyrnyBOXOrH2ZoBZiLtM+h1yBPSa:ctL+yG9PKQaOyaBEl1+PSa
                                                                                                                                                                                                                                      MD5:7BB19403672F88442C8510579DEEA62B
                                                                                                                                                                                                                                      SHA1:D7685A3C16C53822D696EE3479451BCF1C42860A
                                                                                                                                                                                                                                      SHA-256:FDAE94594F6DDF60874760BC0E8306422681CE7C177BFA811A625AE74363CCAF
                                                                                                                                                                                                                                      SHA-512:8383D42946F02B72676BF3F6016C0CFA9355AE840320354111B8E40CD9567F46B558B4B60809BF6F0B1364A1F84E6815DC04B02D2F42078E0057F1990CCC83A3
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyInstallPackage {.. <#...SYNOPSIS..**NOTE:** Administrative Access Required.....Installs software into "Programs and Features". Use..Install-ChocolateyPackage when

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyPackage.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):17164
                                                                                                                                                                                                                                      Entropy (8bit):5.102467977763193
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:ctL+QG/i9AUaHrN+eNbVPoC8XdI96LMw9lpWo:ctL+jiKUW+eNbVPHMG9Gz
                                                                                                                                                                                                                                      MD5:EF3DA9AA21D97701F975F6E7EC05790D
                                                                                                                                                                                                                                      SHA1:C78F165791049FA3A17218AE2ADEECF79C628E15
                                                                                                                                                                                                                                      SHA-256:917FCEC8CA28B0EF404F565AAECF7FB850E193326D012583927CAA8BB55FB3EC
                                                                                                                                                                                                                                      SHA-512:40C18493196A1395EB72629042E0BE98F19CF657E402FF0F21447A238879157534BBCA632C40B047B42C4EA46C9935D40EF53604DCADB5552B8F6D4A5027C809
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyPackage {..<#...SYNOPSIS..**NOTE:** Administrative Access Required.....Installs software into "Programs and Features" based on a remote file..download. Use Install-

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyPath.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):4341
                                                                                                                                                                                                                                      Entropy (8bit):5.172978110813656
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:cSyL+4pe90AlH31KoMb4lFkF9lr4cr8QCz7rVgAY+AExSNzwdOq7FuRFu7lVENiz:cSyL+4pGXHFKoETMcePrVnxAExSsl73
                                                                                                                                                                                                                                      MD5:B8FD2F73466C4538F16B753C1707E185
                                                                                                                                                                                                                                      SHA1:DEEAFE9F90676AC71FDC879D856A5FF312AF0D74
                                                                                                                                                                                                                                      SHA-256:1134D81094235B52249BD974129142BCE3B9796387C0D7CE71CE68A909A5C6B6
                                                                                                                                                                                                                                      SHA-512:BE6FCFB5FCBA314D4CE62FB47B3A292AADD6C7FB6723D042FC603211B7DFC20D8E2213132BA0ECF29A00050A0C7640E00FF6638EA499A2C0A33D8FBCFBC004E5
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyPath {..<#...SYNOPSIS..**NOTE:** Administrative Access Required when `-PathType 'Machine'.`....This puts a directory to the PATH environment variable......DESCRIPTI

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyPinnedTaskBarItem.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2645
                                                                                                                                                                                                                                      Entropy (8bit):5.278706654776255
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:cSyL+4pe90AlH31KoMD+4RXPXbVSPDqA9FM4jImbO2Poq+:cSyL+4pGXHFKoi7bVSe+M4jImg
                                                                                                                                                                                                                                      MD5:9432BDECB1FAE8A80B302A6216A7615B
                                                                                                                                                                                                                                      SHA1:80C6C8255413A9B9E2BD8DE14B274DFEF1F6E86A
                                                                                                                                                                                                                                      SHA-256:20510B09D631C0E5D9E6E4E5F0FC47EF47C1A413FE3F83A2413A2F4E42E1B649
                                                                                                                                                                                                                                      SHA-512:F6BF39157FB67D7434CCC6F80CF7E13C04302243BE3589D8FF85ECDEA1A19559091BA86FD7BB22671B239F16136ABC8FA84A156477497B32B35E9721EF9B7103
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyPinnedTaskBarItem {..<#...SYNOPSIS..Creates an item in the task bar linking to the provided path......NOTES..Does not work with SYSTEM, but does not error. It warns

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyPowershellCommand.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):9319
                                                                                                                                                                                                                                      Entropy (8bit):5.106965440646972
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:cSyL+QGXHni8ybOOeHYlqWKWXVWpRXrHoyf4yc0q1:ctL+QG3ij9e4lqZfc1
                                                                                                                                                                                                                                      MD5:D95A27860316FF9415C6E59530A4F83E
                                                                                                                                                                                                                                      SHA1:16CA9BB81AC55A4EE814915F919FCE89634D637D
                                                                                                                                                                                                                                      SHA-256:F6A1CEB186C30AAD003EAE9B71FDEF4D1DC0D989C81FFDD844C5E9B82EF9532D
                                                                                                                                                                                                                                      SHA-512:4FBE61563130EF06FC69C5FEEFAD59A6FB4DF01BCA7C289A9E8E7B3D16B06BE8BB652AAC7DBF5548BCDDB7F9EEFC2E739B707694BF18995C645F4715DD43C1D3
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyPowershellCommand {..<#...SYNOPSIS..Installs a PowerShell Script as a command.....DESCRIPTION..This will install a PowerShell script as a command on your system. Li

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyShortcut.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):7888
                                                                                                                                                                                                                                      Entropy (8bit):5.219559860002251
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:cSyL+QGXH9mufXMVW7Vb944B6/yS/LIiP8/HahiJqhx8l91b:ctL+QGtmufXBVbwBPi6cJ4x8l91b
                                                                                                                                                                                                                                      MD5:B67CDEF057B2B5376CFDBE1F51AC241E
                                                                                                                                                                                                                                      SHA1:12B3484E2F85D5C591F1DDD178BA71F224BC232B
                                                                                                                                                                                                                                      SHA-256:D09B2B6B3D43259E79E6778581BA884B526D7A0687C90B19F38EF5B0CA1E5752
                                                                                                                                                                                                                                      SHA-512:BDBEC684B46B3039C7C369901C618E4D0313588B4AB3AE3A10C20CA89C9F2CFB24430FF360FA63D813B920088C7CE5DE17C20C193E0F5FBE40495A86212760FA
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyShortcut {..<#...SYNOPSIS..Creates a shortcut.....DESCRIPTION..This adds a shortcut, at the specified location, with the option to specify..a number of additional p

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyVsixPackage.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):8855
                                                                                                                                                                                                                                      Entropy (8bit):5.1654657712280985
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:cSyL+QGXHrDorybOY2W/thNuVwBE6nBEvEGYfpxIDcO:ctL+QGNk67zyYpG7
                                                                                                                                                                                                                                      MD5:B751C9113B9601DC1B66D597F86474E9
                                                                                                                                                                                                                                      SHA1:E69E72AEAC3BBF5E3DE0C307FE62C0D293FCE36E
                                                                                                                                                                                                                                      SHA-256:E821C31B1A2C9CF7BB6AF12BBB70D88DC30ABADCBD68197982A0DCC6EEF7C982
                                                                                                                                                                                                                                      SHA-512:BCA21C385EA43B62CF113D35E3A50A66E69C6CB98BDE874DC38D6B517206456C4B3726825EA962E0F1676FD8ED936C51DD8FE7D85E9C1F3A336FDC961A53A662
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyVsixPackage {..<#...SYNOPSIS..Downloads and installs a VSIX package for Visual Studio.....DESCRIPTION..VSIX packages are Extensions for the Visual Studio IDE. The V

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyZipPackage.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):9740
                                                                                                                                                                                                                                      Entropy (8bit):5.124129906660506
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:cSyL+QGXH5l6ybO41LHHPWUWYhNfhNuVtsYzrPr:ctL+QGJlhXlHvbVPLYzLr
                                                                                                                                                                                                                                      MD5:A9F2320F7C75DB38BA32DE454DB14F41
                                                                                                                                                                                                                                      SHA1:52869D1B9C412DC5AB848E1E363A2F1C043A6EBA
                                                                                                                                                                                                                                      SHA-256:D5C38F705555D2F334308EB27E8CFADA3E1503390A19D99C26810295047815E7
                                                                                                                                                                                                                                      SHA-512:D40A8228A93F7543D1F447BC2989A5A9714F07F6CDE411801659483A0BCE5BD5696B5631DEC89FE6D4C9DDD87F29002A421627C9CF60EC57A6A93E02F028BE85
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyZipPackage {..<#...SYNOPSIS..Downloads file from a url and unzips it on your machine. Use..Get-ChocolateyUnzip when local or embedded file......DESCRIPTION..This wi

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-Vsix.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2178
                                                                                                                                                                                                                                      Entropy (8bit):5.225120339484231
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:cSyL+4pe90AlH31KoM4eAjm3LeoXPNpxdeVP3YJxxKW2W2VlWp:cSyL+4pGXHFKoZjmnP3OVPUxxO3le
                                                                                                                                                                                                                                      MD5:5082284C6F295B50B7C28303E52D2770
                                                                                                                                                                                                                                      SHA1:08D320C56CA725CFC8D558E5C923836EDC369DFD
                                                                                                                                                                                                                                      SHA-256:D488957D7BEFF9256A176E7EA1F6D167604C175B44746B2B86B7EA0480F8089C
                                                                                                                                                                                                                                      SHA-512:F8AB98CD8A14ADFA9FED578867A6188F6CBCA5E4361FC0D17D5BAA49818DF7A24BE94C616A8FE6821B75FDCE853D426464BA8E6CE8824E2A47912F26204A8241
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-Vsix {..<#...SYNOPSIS..DO NOT USE. Not part of the public API......DESCRIPTION..Installs a VSIX package into a particular version of Visual Studio......NOTES..This is not par

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Set-EnvironmentVariable.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):4463
                                                                                                                                                                                                                                      Entropy (8bit):5.326623524611151
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:cSyL+4pGXHFKo9LAVZVTfGqqHQ6+MiLMK+SIgEGZkxpU3gZCjfocO:cSyL+QGXHvAVLGqqHQ6waN9A3a
                                                                                                                                                                                                                                      MD5:C5ADB094F8B04B9D9E4E7FA429D0568F
                                                                                                                                                                                                                                      SHA1:64A4EC9D365702E1D279F0958B67EDAAC1CCFF72
                                                                                                                                                                                                                                      SHA-256:A7E60AA5802ADC6E16D105C693819D7B8F5396C9B18BB32D4E55A1C6EDDEE409
                                                                                                                                                                                                                                      SHA-512:20654DDEBFB81F1AA49BBBA3CF9C8BB2A03DA48C1D14DC63F4C200F8374393430E2515D85EE39B3EC788EFD97F8D442F07D36C06595263D57D6FEACA5B9DE152
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Set-EnvironmentVariable {..<#...SYNOPSIS..**NOTE:** Administrative Access Required when `-Scope 'Machine'.`....DO NOT USE. Not part of the public API. Use..`Install-ChocolateyEnviron

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Set-PowerShellExitCode.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1711
                                                                                                                                                                                                                                      Entropy (8bit):5.130959499082034
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:cSyX54q90AlH31KofO/OuBT0fkaCVYBt4PHU:cSyp4aXHFKozUVYBt4c
                                                                                                                                                                                                                                      MD5:73DCA113BBA352B82F814797A5E075B5
                                                                                                                                                                                                                                      SHA1:B514007F4B97D41584B73A1BFFBE24B37131CCD1
                                                                                                                                                                                                                                      SHA-256:A4F55463BF3258F02058B8A568A4F650B6DEA54BE1E5851C9339D53DBA2CC08F
                                                                                                                                                                                                                                      SHA-512:9F0D8D5B5C418BDBD9034EF8BFEBA20D4F1D99B37F4DE7867102E6486BA6F5BA7D9CB5C34E7D9649546B74E81B6E238EB8CBA8BB458C7A0AFBC975B49ED04011
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....Function Set-PowerShellExitCode {..<#...SYNOPSIS..Sets the exit code for the PowerShell scripts......DESCRIPTION..Sets the exit code as an environment variable that is checked and used..as the exit code for the package at the end of the package script......NOTES..This tells PowerShell that it should prepare to shut down....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Start-ChocolateyProcessAsAdmin.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (495), with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16063
                                                                                                                                                                                                                                      Entropy (8bit):5.071535838625921
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:cSyL+QGXH8SvdSIVLWDL+G3YQwJOm1JzzN566OdHYrZxmrP17OrnwflAflNKc1+R:ctL+QGRvdSIWDznmzzvOUrIWjKEM05q
                                                                                                                                                                                                                                      MD5:C653DD51F0E2EF62BBD7F782C8DAE3AC
                                                                                                                                                                                                                                      SHA1:860325CDDF15E97C487A2351051517C89E414316
                                                                                                                                                                                                                                      SHA-256:120D4F0ECD7D4AF742CCE72D4CE86EBD960F3FC83FBB58860BECD79147830585
                                                                                                                                                                                                                                      SHA-512:417FD7B7609E7F002F8915D0E8EDA8EB3932FE3F4F7D88070457D2B08251CF0063C3B283C2129A02BAD6361812A16CDD1F3DFB26F55043181F9680D8B073B32E
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Start-ChocolateyProcessAsAdmin {..<#...SYNOPSIS..**NOTE:** Administrative Access Required.....Runs a process with administrative privileges. If `-ExeToRun` is not..specified, it is r

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Test-ProcessAdminRights.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1913
                                                                                                                                                                                                                                      Entropy (8bit):5.085202352125102
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:cSyL+4pe90AlH31KoMwr86KhPWBT2TiCWezzwYYm6tFnzXHtQ:cSyL+4pGXHFKo2PD2CWbm6nnzXq
                                                                                                                                                                                                                                      MD5:12DE733D7CE18AF405D81469211573D3
                                                                                                                                                                                                                                      SHA1:89C23822D6717F00281EC45FB24F420678B9901B
                                                                                                                                                                                                                                      SHA-256:F07208BE10E70B4774168EC7C0CC86FC594F1D37D991E766EC46EE335302B083
                                                                                                                                                                                                                                      SHA-512:38775567CC21292C3E06E6F7A44BC7A3C525CC2A49A95E114CFB0C4BFF2AF7EDAEFB4D09A3FD777482BCB0088507323B5618128B96A4716BE9655010A390453F
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Test-ProcessAdminRights {..<#...SYNOPSIS..Tests whether the current process is running with administrative rights......DESCRIPTION..This function checks whether the current process h

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\UnInstall-ChocolateyZipPackage.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2897
                                                                                                                                                                                                                                      Entropy (8bit):5.162176606162476
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:cSyL+4pe90AlH31KoMjgAOTJEd4phQ44Yb1eVGXsjlKo9obKB9x/kgeoS5:cSyL+4pGXHFKod+aSZVLjo7m1Ju5
                                                                                                                                                                                                                                      MD5:B0DDD1F261098CAF4092E78539A61796
                                                                                                                                                                                                                                      SHA1:6F753444CE488773EC7AD4942BFB79BF79BC2A65
                                                                                                                                                                                                                                      SHA-256:12E80EA9AA3D894DB1BB1999DD766EF4925ECD59FEC8DEDCABF241DE96E1A949
                                                                                                                                                                                                                                      SHA-512:5C624D18321916C905287595ECC72CF996F24F27E68E22F35C1D07AD7004F579EE64D3E0AE5AE6867DE13A02E61F9893D3DB848A82D41FEC309C77DD88752F75
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Uninstall-ChocolateyZipPackage {..<#...SYNOPSIS..Uninstalls a previous installed zip package, may not be necessary......DESCRIPTION..This will uninstall a zip file if installed via I

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Uninstall-BinFile.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):3683
                                                                                                                                                                                                                                      Entropy (8bit):5.175198661740516
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:cSyL+4pGXHFKo2fFecAVuAlxoVGv5nPcdTmqKYDqnShM:cSyL+QGXHc0nVuAlOVGvpPcdTmx
                                                                                                                                                                                                                                      MD5:FCD698961855179908D84E45C1699CD3
                                                                                                                                                                                                                                      SHA1:449CF377EA5EEFC250DF24DC64F36F374C3EA022
                                                                                                                                                                                                                                      SHA-256:093191162E950B4CFDCDD066865C74E47F3F05B3543A9A98A7B82AD98C8236CA
                                                                                                                                                                                                                                      SHA-512:96C0B5867C19A9F06C81F507102FDBCC270BEBAB132E8A3EDE88CED129E369D282AC5F874B0F0AB94214C41C857EF74735909045AA3FDACFF96C74A38FA7AFB6
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Uninstall-BinFile {..<#...SYNOPSIS..Removes a shim (or batch redirect) for a file......DESCRIPTION..Chocolatey installs have the folder `$($env:ChocolateyInstall)\bin`..included in t

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Uninstall-ChocolateyEnvironmentVariable.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):3131
                                                                                                                                                                                                                                      Entropy (8bit):5.1027007896112115
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:cSyX54q90AlH31KoMSta1Qr44qR4MXbVqlzmwETvp6SCodQsV:cSyp4aXHFKovRVKVwETB6SCu
                                                                                                                                                                                                                                      MD5:256F7D3F77746A9167E513497A1DEF85
                                                                                                                                                                                                                                      SHA1:0F213C21586F176C405C1877C6E7D2FD5B8E85AC
                                                                                                                                                                                                                                      SHA-256:4CE0A48B7A6D6FE997324F7F916DEA532754E4C371CEE38CACE5134EA1D3A101
                                                                                                                                                                                                                                      SHA-512:763263F5E68A1CB7391394570A7CCDDAF518A1522E3F0435EA62848631A03CF278E15F6375F02C0466CBEEBB4365BA419ADB3AB6549BA3BCB09C9BB718825F03
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Uninstall-ChocolateyEnvironmentVariable {..<#...SYNOPSIS..**NOTE:** Administrative Access Required when `-VariableType 'Machine'.`....Removes a persistent environment variable......DESCRIPTION..Uninstall-ChocolateyEnvironmentVariable removes an environment variable..with the specified name and value. The variable c

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Uninstall-ChocolateyPackage.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):6062
                                                                                                                                                                                                                                      Entropy (8bit):5.047713257621158
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:cSyL+4pGXHFKoQ79vUU2ZTooaYjuVSQPsVeqYQfiyLi9xSQeSDHyXfOWQfpQf6:cSyL+QGXHweZdlFV8bQ7ov
                                                                                                                                                                                                                                      MD5:39599553B392FDEA36398A474FD623F2
                                                                                                                                                                                                                                      SHA1:89587AEDEC8ECADD274EE80EE43101032A55BAD4
                                                                                                                                                                                                                                      SHA-256:716E51F45EA009C6AEC10F123C58A837516E59910CD0DFB274DF0FF6A56EBF08
                                                                                                                                                                                                                                      SHA-512:1BA55A2CEC0EA911B3418FA8B1979EE8EF45C16033C82F1794416CA85D8F7D9B2618855008F8014BD1FA2A8466ECEB9E36A41E985122F8D04C765051C6DAF5C0
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Uninstall-ChocolateyPackage {..<#...SYNOPSIS..Uninstalls software from "Programs and Features"......DESCRIPTION..This will uninstall software from your machine (in Programs and..Feat

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Update-SessionEnvironment.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):3611
                                                                                                                                                                                                                                      Entropy (8bit):5.0574071891740795
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:cSyL+4pGXHFKosxHb1u5jen+UMGeKJ1qeg:cSyL+QGXHWp+i5MzK/g
                                                                                                                                                                                                                                      MD5:AB7F32D92867D5CC52CB177374C656C2
                                                                                                                                                                                                                                      SHA1:ACB20AAADD71C921899DE91640DA2AB5F78984CA
                                                                                                                                                                                                                                      SHA-256:A1AD9ED3C049CA14C7970AA17CF5C6A28448E70FF2BE4E438A61C6DAB68E82B7
                                                                                                                                                                                                                                      SHA-512:22295E4C289EC0057B3F13A3B9C18B9B02CC4379D8E1F4F6FEBE48A45A05D92A5384EC158E4370CB5E67F33751377C2CD81C4F8E555145C49BF7680FE545F905
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Update-SessionEnvironment {..<#...SYNOPSIS..Updates the environment variables of the current powershell session with..any environment variable changes that may have occured during a.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Write-FunctionCallLogMessage.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1974
                                                                                                                                                                                                                                      Entropy (8bit):5.219633769893594
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:cSyJ3554IpXAAyU0E+SlHQk1GpsLA9i9yVMppqTDf3nQytTxGEN8X/+nKB0chWqc:cSyX54q90AlH31KoMYpqfvVF2M1zrvn
                                                                                                                                                                                                                                      MD5:6A2F945A16F003443B3C14907163C357
                                                                                                                                                                                                                                      SHA1:EBDDA9AC96E6F71D0BEED493C5074F2CAFE638C2
                                                                                                                                                                                                                                      SHA-256:279171398D6F65221D4636DA730AB2F07C6DD56321BF76A03D0CA7D3D7B0B574
                                                                                                                                                                                                                                      SHA-512:C09FC9C169D5197B841EED9D44135F43AA8D11CC0463A567E922FE019545C9036542AD40AF5D64B808AF92E143787A8231CBF4F5B8A2F8F94E48614E8E06EFA0
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Write-FunctionCallLogMessage {..<#...SYNOPSIS..DO NOT USE. Not part of the public API......DESCRIPTION..Writes function call as a debug message......NOTES..Available in 0.10.2+.....This function is not part of the API......INPUTS..None.....OUTPUTS..None.....PARAMETER Invocation..The invocation of the function (`$My

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lastSnapshot.txt

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32
                                                                                                                                                                                                                                      Entropy (8bit):3.632048827786958
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:jqAdGdtGdnn:+hTGF
                                                                                                                                                                                                                                      MD5:FB26701A5D20C5077053DFE015B37875
                                                                                                                                                                                                                                      SHA1:2EA39F4E21B117BEB8517F60D304070DA3A8055D
                                                                                                                                                                                                                                      SHA-256:759B3461F7A0991CC2A036560924ADC50EA1C15C4D17F590EEBD457330157495
                                                                                                                                                                                                                                      SHA-512:42A8832B0523D8F0720BB02C91815E3DBF71EC02C935A947A465FC0E00FFBDCF511D7DFC921DE54669312AE9735B53EDF21957F55A00D60977B1A1325FE496C8
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:ecc39e64c8fba863f2e647300224d62f

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):280616
                                                                                                                                                                                                                                      Entropy (8bit):5.691023070642676
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:AG0WgexKpGi8PnJcerXUaxX3HVeES4BEIqTTpX/4ormGpnaVTSGCkMhkEn7GAhC6:AJrycoB3HVeESME3pnaVTS1nh7hCav
                                                                                                                                                                                                                                      MD5:30B0542E627055A7D48687D541A9E6BA
                                                                                                                                                                                                                                      SHA1:E12D2EE08CA0566A037824C3D6F4F316F088BD03
                                                                                                                                                                                                                                      SHA-256:170BF6875CF59E62A72FC2E414EA7F1364F9819534D5EE9E453C96E6863BCC35
                                                                                                                                                                                                                                      SHA-512:2694B174D93D13D2C3CF087551CBDB822548195D9582427B20AA9A2D6E1E1DCB362B4612C5D539E9E567812DD589B227738B3B4A631B4A9D3F6AF0E4549584C6
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p3..........." ..0...... ........... ... ....... .......................`.......v....`.................................h...O.... ............... ..((...@......L................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\choco.summary.log

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):21638
                                                                                                                                                                                                                                      Entropy (8bit):5.2526013246125185
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:LuXrKQVxEY9wi7p8Mb9OLM1KBGj0m4Mchj6/1ERq08:Lu2AEk7+Mb9OLMcBGj0m4McAes
                                                                                                                                                                                                                                      MD5:BA6AD76AACB7C0EBA9BFF46648022EE3
                                                                                                                                                                                                                                      SHA1:BA3444CC866B54135516C4CD839392F7BCC5D2C3
                                                                                                                                                                                                                                      SHA-256:278E3F19B0B0F5D90600F1F6B0D5A24DEA589277BE0034B4F89694D9320821BB
                                                                                                                                                                                                                                      SHA-512:988F0AAACACE74B176A3B91AD8F2CDFEB91A9C631AB0750CE001D2DE115E37987DC12618DE5C6D366BB4F10A70DC9AFCCE0D9422427EFA683B3D21250AA2E00E
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\choco.summary.log, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:2025-01-14 13:35:09,329 2692 [WARN ] - Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...2025-01-14 13:35:09,688 2692 [WARN ] - Enabled allowGlobalConfirmation..2025-01-14 13:35:09,782 2692 [WARN ] - Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...2025-01-14 13:35:10,548 2692 [WARN ] - 0 packages installed...2025-01-14 13:35:10,720 2692 [WARN ] - Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...2025-01-14 13:35:10,938 2692 [INFO ] - Outdated Packages.. Output is package name | current version | available version | pinned?....2025-01-14 13:35:11,407 2692 [WARN ] - ..Chocolatey has determined 0 package(s) are outdated. ..2025-01-14 13:35:21,573 2692 [WARN ] - Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):18293
                                                                                                                                                                                                                                      Entropy (8bit):5.52560684820292
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:y6/w3C5CzzhdIlH4A2ERP6C5CzzhdIlH4Al0hJP:1Y3C5Czzg16C5CzzRP
                                                                                                                                                                                                                                      MD5:F1F5BA427CD3BEFB635E58FB527EEFE8
                                                                                                                                                                                                                                      SHA1:73CD5736F86D2B0DBBB8951D3A63A5E4A88E0C14
                                                                                                                                                                                                                                      SHA-256:5CE5BC0EF1C8FFAC008660B988476A770ECFC231DAD058F930C89C4C5E209750
                                                                                                                                                                                                                                      SHA-512:E817D282AB4A46D9531B15CB879842BA4D1D88285F49171622A7B29B520BA2949DF38DE3C8ED4CAEBCB649D40A4779DA678E06B33BA35026A5BFAA7F0CB684D7
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:2025-01-14 13:53:23,999 2692 [INFO ] - microsoft-edge 131.0.2903.146 [Approved]..2025-01-14 13:53:24,030 2692 [INFO ] - intel-dsa 24.6.49.8 [Approved] Downloads cached for licensed users..2025-01-14 13:53:24,046 2692 [INFO ] - ffmpeg 7.1.0 [Approved]..2025-01-14 13:53:24,046 2692 [INFO ] - webview2-runtime 131.0.2903.146 [Approved] Downloads cached for licensed users..2025-01-14 13:53:24,061 2692 [INFO ] - ffmpeg-full 7.1.0 [Approved] - Possibly broken..2025-01-14 13:53:24,061 2692 [INFO ] - OpenCV 4.11.0 [Approved] Downloads cached for licensed users..2025-01-14 13:53:24,077 2692 [INFO ] - ffmpeg-shared 7.1.0 [Approved] Downloads cached for licensed users..2025-01-14 13:53:24,139 2692 [INFO ] - microsoft-edge-insider 132.0.2957.26 [Approved] Downloads cached for licensed users..2025-01-14 13:53:24,139 2692 [INFO ] - WinSecurityBaseline 20.1803.0 [Approved]..2025-01-14 13:53:24,155 2692 [INFO ] - microsoft-edge-insider-dev 132.0.2957.11 [Approved] Downloads cached for licensed users..2

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\pcach.cch

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with very long lines (3884), with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):3884
                                                                                                                                                                                                                                      Entropy (8bit):5.616006011134442
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:23atis3I2qgfQyD0SId6k/Szi3UQp1YilXTeMjIX:23atis3/XfQOxI6k/Szi3JXYE7m
                                                                                                                                                                                                                                      MD5:B97A8EF9F905CB5D3073CE7F0039ED2C
                                                                                                                                                                                                                                      SHA1:EFA9690C632C4568DDFB9411630BDA552D5379E1
                                                                                                                                                                                                                                      SHA-256:D4C2766D6ACF8B50B96DBBA4FCBAF1C87C197C27F6D8009EE4A3E0BF0AEDD233
                                                                                                                                                                                                                                      SHA-512:85B1FD2779CF7A180579D59B5D5C759FF50236E4A0E94CC1092FBAA9252E7A29D504E5A7031C819885687389F4957B8A3CFDC6029724DB82770CC75813B1031B
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:eyJJbnN0YWxsZWRBcHBzIjpbeyJSZW1vdmVhYmxlIjp0cnVlLCJOYW1lIjoiNy1aaXAgICh4NjQpIiwiVmVyc2lvbiI6IjIzLjAxIiwiSW5zdGFsbGVkT24iOiIyMDIzLTEwLTAzVDA2OjUxOjI4LjQ1NTM0NzMtMDQ6MDAiLCJQdWJsaXNoZXIiOiJJZ29yIFBhdmxvdiIsIlNpemVJbkJ5dGVzIjo1Nzg5Njk2LCJBdmFpbGFibGVWZXJzaW9uIjpudWxsLCJTdGF0dXMiOiJJbnN0YWxsZWQiLCJUaGlyZFBhcnR5TmFtZSI6bnVsbH0seyJSZW1vdmVhYmxlIjp0cnVlLCJOYW1lIjoiQWRvYmUgQWNyb2JhdCAoNjQtYml0KSIsIlZlcnNpb24iOiIyMy4wMDYuMjAzMjAiLCJJbnN0YWxsZWRPbiI6IjIwMjMtMTAtMDNUMDA6MDA6MDAiLCJQdWJsaXNoZXIiOiJBZG9iZSIsIlNpemVJbkJ5dGVzIjo2MjY3NDUzNDQsIkF2YWlsYWJsZVZlcnNpb24iOm51bGwsIlN0YXR1cyI6Ikluc3RhbGxlZCIsIlRoaXJkUGFydHlOYW1lIjpudWxsfSx7IlJlbW92ZWFibGUiOmZhbHNlLCJOYW1lIjoiQXRlcmFBZ2VudCIsIlZlcnNpb24iOiIxLjguNy4yIiwiSW5zdGFsbGVkT24iOiIyMDI0LTAyLTI4VDEwOjUyOjA0LTA1OjAwIiwiUHVibGlzaGVyIjoiQXRlcmEgbmV0d29ya3MiLCJTaXplSW5CeXRlcyI6NDkyMDA0OCwiQXZhaWxhYmxlVmVyc2lvbiI6bnVsbCwiU3RhdHVzIjoiSW5zdGFsbGVkIiwiVGhpcmRQYXJ0eU5hbWUiOm51bGx9LHsiUmVtb3ZlYWJsZSI6ZmFsc2UsIk5hbWUiOiJHb29nbGUgQ2hyb21lIiwiVmVyc2lvbiI6IjExNy4wLjU5

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\RefreshEnv.cmd

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2340
                                                                                                                                                                                                                                      Entropy (8bit):5.120693108028518
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:WJhzy3v9zec4JksG5A10JZ65RhS9JlqUp7B9nplD6e7B5yg:42V6Q5A1B5C9L/
                                                                                                                                                                                                                                      MD5:B4326546C3A252494DCD512976F8B89A
                                                                                                                                                                                                                                      SHA1:09D10EA0ABDBDE8C2B5BAFE410ED3B96AB0076C8
                                                                                                                                                                                                                                      SHA-256:9B251737A6B6ACE9FDE45B64FD653B04575C6416F15112FBE1697A47B14990E6
                                                                                                                                                                                                                                      SHA-512:E58EDC6DC66A289358E7FDE7C3F1D73A0EE1F7A6DB382DD1318FAA205E12271C081617B8366ECD1FCB3A0BC5A98F4B0F0C389C99A63D9EDF7CE1BD230AC85EC2
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:@echo off..::..:: RefreshEnv.cmd..::..:: Batch file to read environment variables from registry and..:: set session variables to these values...::..:: With this batch file, there should be no need to reload command..:: environment every time you want environment changes to propagate....::echo "RefreshEnv.cmd only works from cmd.exe, please install the Chocolatey Profile to take advantage of refreshenv from PowerShell"..echo | set /p dummy="Refreshing environment variables from registry for cmd.exe. Please wait..."....goto main....:: Set one environment variable from registry key..:SetFromReg.. "%WinDir%\System32\Reg" QUERY "%~1" /v "%~2" > "%TEMP%\_envset.tmp" 2>NUL.. for /f "usebackq skip=2 tokens=2,*" %%A IN ("%TEMP%\_envset.tmp") do (.. echo/set "%~3=%%B".. ).. goto :EOF....:: Get a list of environment variables from registry..:GetRegEnv.. "%WinDir%\System32\Reg" QUERY "%~1" > "%TEMP%\_envget.tmp".. for /f "usebackq skip=2" %%A IN ("%TEMP%\_envget.tmp") do (

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\choco.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):136704
                                                                                                                                                                                                                                      Entropy (8bit):5.174853806484254
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:ED98HpKI6GCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:Y9GpKbShcHUa
                                                                                                                                                                                                                                      MD5:DDD072DBD2267BCB3081340E57ED092B
                                                                                                                                                                                                                                      SHA1:04EC398A1DE53DC960A882363A528E162350C57C
                                                                                                                                                                                                                                      SHA-256:460F604144DD93A3794F75C9E09B2676D7AD1295CD92499FAD80ED3C27990F02
                                                                                                                                                                                                                                      SHA-512:2271C5846254EAA7389D23EE0241814D06D34257A7B6D44FE7CBEA14F3ACA5101457FAD934B22D2B9B49F1263BCB4209D8EADC07DB93E2B5E01CCDA5BD6ED2A8
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)$/b.................D...........c... ........@.. ....................................@..................................c..S.......X....................`....................................................... ............... ..H............text....C... ...D.................. ..`.rsrc...X............F..............@..@.reloc.......`......................@..B.................c......H....... ...x5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\choco.exe.ignore

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2
                                                                                                                                                                                                                                      Entropy (8bit):1.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:y:y
                                                                                                                                                                                                                                      MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                      SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                      SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                      SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\chocolatey.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):137216
                                                                                                                                                                                                                                      Entropy (8bit):5.162895637606263
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:KMU90HpKOrGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:K59OpKgShcHUa
                                                                                                                                                                                                                                      MD5:0BCC21AC34291B167EC4D73079EAE085
                                                                                                                                                                                                                                      SHA1:BAEF2A7349E2C6269BBF2C8C6654C492683FC73E
                                                                                                                                                                                                                                      SHA-256:14288199533B10CAD97F5917447979BBC4685F20255AA073EC1BB828D3CF6A2C
                                                                                                                                                                                                                                      SHA-512:9B7CC423E4F27DFF6006425311A6CC39CBA9CB5D3D4966C81FDA21C5907A434B6A748A92B65229A01A65440D8BA2D87D9E8C99CE80E2062569232A10AE74F9BA
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*$/b.................F...........c... ........@.. ....................................@..................................c..W.......p....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...p............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\chocolatey.exe.ignore

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2
                                                                                                                                                                                                                                      Entropy (8bit):1.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:y:y
                                                                                                                                                                                                                                      MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                      SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                      SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                      SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cinst.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):137216
                                                                                                                                                                                                                                      Entropy (8bit):5.162623164553414
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:1w9mHpKZNGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:C9UpK7ShcHUa
                                                                                                                                                                                                                                      MD5:55CC3EA23C5430BE7B5A75A52157DA18
                                                                                                                                                                                                                                      SHA1:AB1D482F2B5E7E0DAD31EA18B78D5F8EA849B87D
                                                                                                                                                                                                                                      SHA-256:BE0494DC91E38456E22692F3AB1891C56871FB82A83ADFDC58F8F890141ECEC9
                                                                                                                                                                                                                                      SHA-512:C09E0476E2D1F69A878195A4026954C5D74C0B5318254A60ABC5909F00A60CCE86D49D29BBF1ECAE498BCE0C2FD2551EFEF0FE287DAB7EAD2FE573CCC833CF3E
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+$/b.................F...........d... ........@.. ....................................@..................................c..S.......X....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...X............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cinst.exe.ignore

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2
                                                                                                                                                                                                                                      Entropy (8bit):1.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:y:y
                                                                                                                                                                                                                                      MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                      SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                      SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                      SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\clist.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):137216
                                                                                                                                                                                                                                      Entropy (8bit):5.162059784215363
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:YE9tHpKrvGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:795pK7ShcHUa
                                                                                                                                                                                                                                      MD5:4E2DC776C653ADBEBCF5DB16AB53296E
                                                                                                                                                                                                                                      SHA1:290457CFC7EC45A493CCEACD2CA24A47237494C1
                                                                                                                                                                                                                                      SHA-256:2DCB2236BB84AE42F4395E72EC67A22CBE0E68ADA4F80FABD7141B5B3D4E7985
                                                                                                                                                                                                                                      SHA-512:533B424AFD7E5BF831BB72164D91B663A2368D458A3EFFFF7062A15D1AB77585C087FA5A5471D3530CCF30309AC30C35EAA4A9168A350071A64E912E15012311
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,$/b.................F...........c... ........@.. ....................................@..................................c..O.......X....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...X............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\clist.exe.ignore

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2
                                                                                                                                                                                                                                      Entropy (8bit):1.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:y:y
                                                                                                                                                                                                                                      MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                      SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                      SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                      SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):137216
                                                                                                                                                                                                                                      Entropy (8bit):5.162082250130723
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:GI9KHpKHDGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:l9QpKjShcHUa
                                                                                                                                                                                                                                      MD5:76385C4CF0842546103EDD75662BDAD7
                                                                                                                                                                                                                                      SHA1:BC42B5817E6BB3568CC6D7C0BD2B03E8B723024B
                                                                                                                                                                                                                                      SHA-256:67EB4084D0BD361C42FFD7AF025167BAFCE8496A35CA6616945E0942386C6424
                                                                                                                                                                                                                                      SHA-512:BAB9B5AE9B89697A7FA83D0D29A4DB0B777F126EEC8DF3BAE9B009AF9A0D556BB79BF2DCED1D26C7A8E900AC5AA7DDE07CEC334DA6418925F352554383F77EC2
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$/b.................F...........c... ........@.. ....................................@..................................c..O.......X....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...X............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exe.ignore

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2
                                                                                                                                                                                                                                      Entropy (8bit):1.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:y:y
                                                                                                                                                                                                                                      MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                      SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                      SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                      SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cuninst.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):137216
                                                                                                                                                                                                                                      Entropy (8bit):5.163276282537277
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:pS791HpKIqGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:pO9xpKbShcHUa
                                                                                                                                                                                                                                      MD5:5C9628C46256D0F6B14DE2168CBED8CC
                                                                                                                                                                                                                                      SHA1:B7284385B0076623B76EC3FB2398B5EE8F3B9F85
                                                                                                                                                                                                                                      SHA-256:354C3758A1F9E5A39E7292E9CCA353F815358977B3CC9A704BCEAB257AC6C24C
                                                                                                                                                                                                                                      SHA-512:84886CF1632EFA70D8023F99A663E809422DFCC1C566793EF52078551DA105BFF1B2F9D54E197D8CCE53C3C725226635D623D9D539B5BFD4C17C802286EFADB4
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../$/b.................F...........d... ........@.. ....................................@..................................c..W.......`....................`....................................................... ............... ..H............text...$D... ...F.................. ..`.rsrc...`............H..............@..@.reloc.......`......................@..B.................d......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cuninst.exe.ignore

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2
                                                                                                                                                                                                                                      Entropy (8bit):1.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:y:y
                                                                                                                                                                                                                                      MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                      SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                      SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                      SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cup.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):137216
                                                                                                                                                                                                                                      Entropy (8bit):5.162239721051707
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:TR9vHpKmEGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:F9/pKvShcHUa
                                                                                                                                                                                                                                      MD5:8783ED37D6871AE20E4A65A655788A7E
                                                                                                                                                                                                                                      SHA1:C42F5B032CF27FFC36869C22D5BE0363AC2E5AF4
                                                                                                                                                                                                                                      SHA-256:5AFEF49A1BB85ED16EE7EF08D9ED694F166A9500701728770E50E92978566C5B
                                                                                                                                                                                                                                      SHA-512:1FE424147DBAD7978F0C856D152F3236685C52DBCA5DD6AB7A03E5D1B8A08566FDF4574C4704FBEDF286A4C13B354D771E25D1B725D55578C14E9EAB2D8F9898
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0$/b.................F...........d... ........@.. ....................................@..................................c..W.......P....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...P............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cup.exe.ignore

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2
                                                                                                                                                                                                                                      Entropy (8bit):1.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:y:y
                                                                                                                                                                                                                                      MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                      SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                      SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                      SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\softwareNameMap.txt

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with very long lines (332), with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):332
                                                                                                                                                                                                                                      Entropy (8bit):5.463795747024441
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6:tNsTkfvrkvTkVVr+sTpPmnqi9BZNVGO1M9LVWmkCvG/vT60Bd6UkCvGLsriELiPG:t1RFPmnqUJVGwQFkmGDLBkmGLsriELie
                                                                                                                                                                                                                                      MD5:5317D6EB85A03B725BD1073358DD9B2D
                                                                                                                                                                                                                                      SHA1:7152C1364EBFA8C65BB34804B7A61722B6F8D80E
                                                                                                                                                                                                                                      SHA-256:CE43A91AC25DC040BB0B528DF89A16CE931DBF238325C8D15DDEC93C4CCEB9DD
                                                                                                                                                                                                                                      SHA-512:A0D831F9F7F251877E3D57B8D0649393CED1F88807AF09833E9EEEF59550A20804A903C0D2FF12D46455F70656C5D34BB9239E684B7B6482E11237F355885EC2
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:W3siTmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJUaGlyZFBhcnR5TmFtZSI6Ikdvb2dsZUNocm9tZSJ9LHsiTmFtZSI6IkphdmEgOCBVcGRhdGUgMzgxIiwiVGhpcmRQYXJ0eU5hbWUiOiJqcmU4In0seyJOYW1lIjoiTWljcm9zb2Z0IEVkZ2UiLCJUaGlyZFBhcnR5TmFtZSI6Im1pY3Jvc29mdC1lZGdlIn0seyJOYW1lIjoiTWljcm9zb2Z0IEVkZ2UgV2ViVmlldzIgUnVudGltZSIsIlRoaXJkUGFydHlOYW1lIjoibWljcm9zb2Z0LWVkZ2UifV0=

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1167872
                                                                                                                                                                                                                                      Entropy (8bit):6.603432444128302
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24576:Gxb5vMX35l5UVrIdhcMEKWnttf7eePboHvVxSfOtl:GxbSz5UVrIdhnW1Pc96Otl
                                                                                                                                                                                                                                      MD5:0DCE103B0102ADEC3279797665B7A4AE
                                                                                                                                                                                                                                      SHA1:C121392BAB6DBA8D04BEE89C6B526E8E67650CC8
                                                                                                                                                                                                                                      SHA-256:3DB62076E5FCC897FF29DA47FE4029900A4AD696B395B6FA96ACFF1229444C1D
                                                                                                                                                                                                                                      SHA-512:20F0F02097694579AC8794D56411FBE2D97C47D37794CB52AFDABC9956C0452E8A3BB273ED34E463F31927E29E7E41C0FDDB82FBBE688DD39C4113C00EC91BC9
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l...(x.(x.(x.Gg.+x..d.!x.Gg.,x.Gg.*x..p..)x.(x.@x..p../x..^..x..^.*x.3.z..x....-x..~.)x..X.)x.Rich(x.........PE..L...`u.a...........!.........~.......>....................................................@.............................y.......d........{......................P.......................................................D............................text............................... ..`.rdata..............................@..@.data...............................@....sxdata......p......................@....rsrc....{.......|..................@..@.reloc...............@..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.dll.manifest

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):513
                                                                                                                                                                                                                                      Entropy (8bit):4.971000586893018
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:TMHdt43O5GgVNSSN/aN/2UjMNciq2xA5NEG:2dt4+GgBNCNFjMyisD
                                                                                                                                                                                                                                      MD5:8F89387331C12B55EAA26E5188D9E2FF
                                                                                                                                                                                                                                      SHA1:537FDD4F1018CE8D08A3D151AD07B55D96E94DD2
                                                                                                                                                                                                                                      SHA-256:6B7368CE5E38F6E0EE03CA0A9D1A2322CC0AFC07E8DE9DCC94E156853EAE5033
                                                                                                                                                                                                                                      SHA-512:04C10AE52F85D3A27D4B05B3D1427DDC2AFACCFE94ED228F8F6AE4447FD2465D102F2DD95CAF1B617F8C76CB4243716469D1DA3DAC3292854ACD4A63CE0FD239
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="7z" processorArchitecture="*" type="win32" />.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">.. <requestedExecutionLevel level="asInvoker" uiAccess="false" />.. </requestedPrivileges>.. </security>.. </trustInfo>..</assembly>..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):331776
                                                                                                                                                                                                                                      Entropy (8bit):6.512244761259412
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:J5lqo52kDzMYDJSi7+Ni2ER9Vh98+1PrEVhkQf0huIDaLOjm:JMqzBDJkk2ERvT8MPAf/O6
                                                                                                                                                                                                                                      MD5:7187AE605F4DCE14BB23EA2623956335
                                                                                                                                                                                                                                      SHA1:F7C1DF33B875C98F41DCDE24117D89D42D25B7CE
                                                                                                                                                                                                                                      SHA-256:9E2631C19B243C28B0980607CED2540E9447B1166572483475547C1A9DD4AC0E
                                                                                                                                                                                                                                      SHA-512:F64522E2FB6BB61884FE53C34E79B355EFB9EC33C02B2CD67D729AF7D763E7B3873A5C7CE6AC7BB4567E6BCF8C70CADBC66F511E8BB151AB05096A832032BC8F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@..|...|...|...p...|...w...|.d.r...|...v...|...x...|.i.#...|...}.|.|.d.!...|...w...|..V....|...v...|.......|. .z...|.Rich..|.........PE..L...`u.a.....................<......<.............@..........................p............@.....................................x.... .......................0...2......................................................(............................text...r........................... ..`.rdata..b...........................@..@.data....'..........................@....sxdata.............................@....rsrc........ ......................@..@.reloc...<...0...>..................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.exe.manifest

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):513
                                                                                                                                                                                                                                      Entropy (8bit):4.971000586893018
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:TMHdt43O5GgVNSSN/aN/2UjMNciq2xA5NEG:2dt4+GgBNCNFjMyisD
                                                                                                                                                                                                                                      MD5:8F89387331C12B55EAA26E5188D9E2FF
                                                                                                                                                                                                                                      SHA1:537FDD4F1018CE8D08A3D151AD07B55D96E94DD2
                                                                                                                                                                                                                                      SHA-256:6B7368CE5E38F6E0EE03CA0A9D1A2322CC0AFC07E8DE9DCC94E156853EAE5033
                                                                                                                                                                                                                                      SHA-512:04C10AE52F85D3A27D4B05B3D1427DDC2AFACCFE94ED228F8F6AE4447FD2465D102F2DD95CAF1B617F8C76CB4243716469D1DA3DAC3292854ACD4A63CE0FD239
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="7z" processorArchitecture="*" type="win32" />.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">.. <requestedExecutionLevel level="asInvoker" uiAccess="false" />.. </requestedPrivileges>.. </security>.. </trustInfo>..</assembly>..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7zip.license.txt

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1927
                                                                                                                                                                                                                                      Entropy (8bit):4.78095675693374
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:aCpXZHRo7dL53iEu+byAHsv7g6z0zBZfNP3VyFA:dlq7XTu+xCz0NxxVwA
                                                                                                                                                                                                                                      MD5:899A48828B85C4B0402EE7CF1F65B62B
                                                                                                                                                                                                                                      SHA1:73BA604E5A4E4EA6FB4AD23B8ADF3982B2C82D10
                                                                                                                                                                                                                                      SHA-256:20343526E04CE61EED2675282462E7080D305246F7807386621149C2025765D9
                                                                                                                                                                                                                                      SHA-512:EFD02998961261FFA64332EA13876906D55A8BD8209BF94F922D97889DDF1181129B6A08E5747F1C0A07E69CFC3A05E86D18AFC3E06325B51598F52360881B1B
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview: 7-Zip.. ~~~~~.. License for use and distribution.. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.... 7-Zip Copyright (C) 1999-2016 Igor Pavlov..... Licenses for files are:.... 1) 7z.dll: GNU LGPL + unRAR restriction.. 2) All other files: GNU LGPL.... The GNU LGPL + unRAR restriction means that you must follow both .. GNU LGPL rules and unRAR restriction rules....... Note: .. You can use 7-Zip on any computer, including a computer in a commercial .. organization. You don't need to register or pay for 7-Zip....... GNU LGPL information.. --------------------.... This library is free software; you can redistribute it and/or.. modify it under the terms of the GNU Lesser General Public.. License as published by the Free Software Foundation; either.. version 2.1 of the License, or (at your option) any later version..... This library is distributed in the hope that it will be useful,.. but WITHOUT ANY WARRANTY; without even the implied warranty of.. MERCHANTABI

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):29184
                                                                                                                                                                                                                                      Entropy (8bit):5.423222213276874
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:02aUriLtuRZFwdpyTmNSHSBLVogO6QlRSO/:1r0ARZF6NFVogjQlRv/
                                                                                                                                                                                                                                      MD5:5CA71CBFF5A8DE7E5E30B6E94CD42069
                                                                                                                                                                                                                                      SHA1:991701A32492D743430627CBFBD56D6884C32588
                                                                                                                                                                                                                                      SHA-256:23FBD1EE66FCE6872E97B2FE84C409AB30A74FE8720B722BC6F8BAE6E7764C04
                                                                                                                                                                                                                                      SHA-512:77E31EC0DCA4E4895D3A4C0E84C6C1516D94089763F1735CAC150EFCD4EEC36107BB810E24D94C1208B7A80881D858DBFE887B32DA6F6D8F0C48F21C2525D0BE
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......X.................f..........n.... ........@.. ....................................@................................. ...K.................................................................................... ............... ..H............text...te... ...f.................. ..`.rsrc................h..............@..@.reloc...............p..............@..B................P.......H.......8<...H......u...........P ......................................h.Mk_F!..D........%..............O...T.....7..u#..[h..T]..^....u.2yC.n........}..?)K.?!@.....3k+.....{.u.@.!q....|....$..f.s!...}.....(".....}....*:.{......o....*2.{....o....*2.{....o....*2.{....o#...*2.{....o$...*..*6.{.....o%...*6.{.....o&...*:.{......o'...*6.{.....o(...*F.{....o)........*F.{....o)........*6.{.....o....*6.{.....o....*6.{.....o....*:.{......o....*6.{.....o....*6.{.....o....*..*"..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.exe.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):150
                                                                                                                                                                                                                                      Entropy (8bit):4.731888600769331
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:vFWWMNHU8LdgCQcIMOofoObWNRXGws8FLu+gNlFueRObK4QIMOn:TMVBd1IGPKNxgUaNNu5W4QIT
                                                                                                                                                                                                                                      MD5:E9AD5DD7B32C44F8A241DE0E883D7733
                                                                                                                                                                                                                                      SHA1:034C69B120C514AD9ED83C7BAD32624560E4B464
                                                                                                                                                                                                                                      SHA-256:9B250C32CBEC90D2A61CB90055AC825D7A5F9A5923209CFD0625FCA09A908D0A
                                                                                                                                                                                                                                      SHA-512:BF5A6C477DC5DFEB85CA82D2AED72BD72ED990BEDCAF477AF0E8CAD9CDF3CFBEBDDC19FA69A054A65BC1AE55AAF8819ABCD9624A18A03310A20C80C116C99CC4
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <enforceFIPSPolicy enabled="false"/>.. </runtime>..</configuration>

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.license.txt

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):95
                                                                                                                                                                                                                                      Entropy (8bit):4.721635609555772
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:SZdFVJMXLreqXy1Wfardzl7BZyOX35++n:Sls/t+WfKj+OXV
                                                                                                                                                                                                                                      MD5:A10B78183254DA1214DD51A5ACE74BC0
                                                                                                                                                                                                                                      SHA1:5C9206F667D319E54DE8C9743A211D0E202F5311
                                                                                                                                                                                                                                      SHA-256:29472B6BE2F4E7134F09CC2FADF088CB87089853B383CA4AF29C19CC8DFC1A62
                                                                                                                                                                                                                                      SHA-512:CAE9F800DA290386DE37BB779909561B4EA4CC5042809E85236D029D9125B3A30F6981BC6B3C80B998F727C48EB322A8AD7F3B5FB36EA3F8C8DD717D4E8BE55E
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:CheckSum is licensed as Apache v2 - https://raw.github.com/ferventcoder/checksum/master/LICENSE

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):565672
                                                                                                                                                                                                                                      Entropy (8bit):5.0581002983018335
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:hjgGwLGK4Uk0Ycoi6DdP51S2XI5cgGlKFTvr5pgx1v9/oLUmP9nVy:h7wj4kYcopdPm2ac8+1vVmPHy
                                                                                                                                                                                                                                      MD5:F7B6AA803BE23C3192FCC2058D208F44
                                                                                                                                                                                                                                      SHA1:A9569D1A4948FD33D388BB263B5CFF0D66E3BB34
                                                                                                                                                                                                                                      SHA-256:D489923F1F91954B8AA15CD0E763132B9033780481D850D74395F5AB6E266C7C
                                                                                                                                                                                                                                      SHA-512:7FD6E1B291503AC9A67128BAC2D6C8F21B40CE9DE99E015866FC62C79CBBAFCD25F3F43A0EB77A00B20C1D6BE9504E85458D503647BF2CF93BC71DAFB64AF122
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$./b.................x............... ........@.. ....................................@.................................(...W.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B................d.......H.......LX...=......8........@..........................................z.(......}.....(/...o0...}....*..*...0..)........{......E............?...Z...|....................*..}..... .>-.}......}.....*..}......{.... Z...a}......}.....*..}..... ?w*.}......}.....*..}......{.... Z...a}......}.....*..}..... H...}......}.....*..}......{.... ...a}......}.....*..}..... L...}......}.....*..}..... ...F}......}.....*..}.....*.....{....*.s1...z.2.{.....i...*....0..<........{......3..{....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.license.txt

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):3758
                                                                                                                                                                                                                                      Entropy (8bit):4.882012677800436
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:wwVl/ldfbBaq9k4KM8da2J7LbyM71wKPC/:rVl/ldfsn4KM8daU7LP5wn/
                                                                                                                                                                                                                                      MD5:89AC7C94D1013F7B3E32215A3DB41731
                                                                                                                                                                                                                                      SHA1:1511376E8A74A28D15BB62A75713754E650C8A8D
                                                                                                                                                                                                                                      SHA-256:D4D2EF2C520EC3E4ECFF52C867EBD28E357900E0328BB4173CB46996DED353F4
                                                                                                                                                                                                                                      SHA-512:9BA2B0029E84DE81FFEF19B4B17A6D29EE652049BB3152372F504A06121A944AC1A2B1B57C6B0447979D5DE9A931186FEF9BD0667D5358D3C9CB29B817533792
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:Shim Generator - shimgen.exe..Copyright (C) 2017 - Present Chocolatey Software, Inc ("CHOCOLATEY")..Copyright (C) 2013 - 2017 RealDimensions Software, LLC ("RDS")..===================================================================..Grant of License..===================================================================..ATTENTION: Shim Generator ("shimgen.exe") is a closed source application with..a proprietary license and its use is strictly limited to the terms of this ..license agreement.....RealDimensions Software, LLC ("RDS") grants Chocolatey Software, Inc a revocable, ..non-exclusive license to distribute and use shimgen.exe with the official ..Chocolatey client (https://chocolatey.org). This license file must be stored in ..Chocolatey source next to shimgen.exe and distributed with every copy of ..shimgen.exe. The distribution or use of shimgen.exe outside of these terms ..without the express written permission of RDS is strictly prohibited.....While the source for shimgen.exe is

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller.zip

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1185456
                                                                                                                                                                                                                                      Entropy (8bit):7.999660178690134
                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                      SSDEEP:24576:Ssoja9MaLduouhVlf0tyv29r1+IdjkaCgs54gvUokF4fEFBb:HoFOJuhV+tyor1+I+aqdM2MFBb
                                                                                                                                                                                                                                      MD5:6C6F85E896655A6EB726482F04C49086
                                                                                                                                                                                                                                      SHA1:2E0C55CD4894117428B34D21A1D53738FCE4B02C
                                                                                                                                                                                                                                      SHA-256:E109400A93FEDE90201BBF37C1868C789888BCE9D03A4AE5B46C48599939C34E
                                                                                                                                                                                                                                      SHA-512:B58303C149DEFFC9E374D5BA42A8A73B7CE890D35F9589FE0B09ACEC541A21D589D49FA5086B965277FA22DFE308357505124F13A6FF1E0DE415EBC40CE61E15
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:PK..-.....J9rX...........=...AgentPackageRuntimeInstaller/AgentPackageRuntimeInstaller.exe....0........g.........^ ....,/_.U. *t....H......Z.X..x#...?....(/.EH.....r.l#.6.......76.b....u',4%.Y.br....W..VcO..[b/.....(....."I..u..S*....../.x...j.5.<b......n.v0.. z'M.....w.. ..qu.<...w...[...9....F...D..+....o....!..1I...^=H1.{.:=\...#V.]...1..)F.s":$.g.H.p.'^....K.F...3..}.......[J....xD.........._RB...... \=b.<.u 1k.Y....&.X.).`>M9.$H.].>t..^..!....}_.H.....h....uT.q..cJE.M... .QG..+?.gZM...G.9x.T.q..U..... X.s.....{....F.G$..$.A.n..jz]=.qi!U..4.>.e.7"..].O.F..XdciK..d_0..H..7rHd.jj.L.v6.< ........2.8....8.mc_.(!...\u...mY.........tv.e..,'..E......l..s`... s...W.Sx9b..Dnc...!0_..T.y..%r..{..E;....v"ce.K....{...).B....:N.H$..h..F.......Y.8k.....M....~9..X-M....f>~t..*#..R......6M....f....>-b.....W. .S.WO.c".>.....+iR..w~.u...6../..J..^&...K.BcQ.Fy....<.O.......P..y..#5:l.4.......~........g.:W...1.p7...K...n{.9~..c.h......NT.5...w........?_>XJ..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):55344
                                                                                                                                                                                                                                      Entropy (8bit):6.139210251385105
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:N2Xj3YqBmARWhNqjxcVqnOvdBsqW/BCiFl0scb/MV7Hx/:wX5BqSBjb0tb/MVJ
                                                                                                                                                                                                                                      MD5:77C613FFADF1F4B2F50D31EEEC83AF30
                                                                                                                                                                                                                                      SHA1:76A6BFD488E73630632CC7BD0C9F51D5D0B71B4C
                                                                                                                                                                                                                                      SHA-256:2A0EAD6E9F424CBC26EF8A27C1EED1A3D0E2DF6419E7F5F10AA787377A28D7CF
                                                                                                                                                                                                                                      SHA-512:29C8AE60D195D525650574933BAD59B98CF8438D47F33EDF80BBDF0C79B32D78F0C0FEBE69C9C98C156F52219ECD58D7E5E669AE39D912ABE53638092ED8B6C3
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................... ......o7....`.................................X...O.......L...............0(..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B........................H........K..|v...........................................................0..........s....(......%.-..( ...+..(!...}\.........s....s......o...+o.....=.r...p(.....(....(.....(....o....r?..p(.....(.......,..o ....*.......4..A.3......4.@t.......0..8.......(!...("...(!...(#...($...(!...o%...($...(!...o&.....&..*........44........('...*..{....*..{....*..{....*..{....*..{....*..('.....}......}.......}.......}......}....*......s....*......s....*......s....*......s....*V.('.....}.....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2010
                                                                                                                                                                                                                                      Entropy (8bit):5.013965898836397
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:3rrb7O7Rgdp+1/gYoSagFsg+w3Sg+Cag+XgjdgDt:7rne4wCNj
                                                                                                                                                                                                                                      MD5:0B17B3BE9B3A6F6879998D280941DE55
                                                                                                                                                                                                                                      SHA1:EDE825B51EE11AF7C9221DCE596BB969CD068529
                                                                                                                                                                                                                                      SHA-256:1D69336E421C535CECF2E0326BE39B44EEC8EA39754AC8E855D8E0368E0F4619
                                                                                                                                                                                                                                      SHA-512:06D9CC03B8F7295A6E02376159EA96A83CAED4B584769370C0BF365B25D29C883BA5C8359CFEB7316D13C93B49FD37CCA267F6E7931220CED71435E1F4B639C8
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <d

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.ini

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):11
                                                                                                                                                                                                                                      Entropy (8bit):3.459431618637298
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:WhUnn:Wu
                                                                                                                                                                                                                                      MD5:5EDA46A55C61B07029E7202F8CF1781C
                                                                                                                                                                                                                                      SHA1:862EE76FC1E20A9CC7BC1920309AA67DE42F22D0
                                                                                                                                                                                                                                      SHA-256:12BF7EB46CB4CB90FAE054C798B8FD527F42A5EFC8D7833BB4F68414E2383442
                                                                                                                                                                                                                                      SHA-512:4CF17D20064BE9475E45D5F46B4A3400CDB8180E5E375ECAC8145D18B34C8FCA24432A06AEEC937F5BEDC7C176F4EE29F4978530BE20EDBD7FED38966FE989D6
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:version=1.6

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):93232
                                                                                                                                                                                                                                      Entropy (8bit):6.195903304850222
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:zSvbne0Q41qJ3n8JMW+0KcBLQhZV5M+5Nn0komH7yAfRS7Hx9:zS8UMW+BV5M+5Nn0kom/RS3
                                                                                                                                                                                                                                      MD5:B969BFF44179BF8A3584EEB9E026CAE1
                                                                                                                                                                                                                                      SHA1:DBA7A528F51870B89AED549E81EF0660F43B2943
                                                                                                                                                                                                                                      SHA-256:5EE05D3796AB12ECF7F2D32D48D41D2A2A3FD257AD8456A0EBD5E6019492ECF1
                                                                                                                                                                                                                                      SHA-512:F0643905258D2C09CA0A6C30A0A9AD5AD2FE184A65B7FFA5B7B731FEE8357672B35246626A10B39DF7C18EF1B75328192495685DDF9CD2F524E913D6A2993E18
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.........." ..0..:..........^X... ...`....... ....................................`..................................X..O....`..8............D..0(...........V............................................... ............... ..H............text...d8... ...:.................. ..`.rsrc...8....`.......<..............@..@.reloc...............B..............@..B................@X......H.......|f..X............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tM...r...p((..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):95280
                                                                                                                                                                                                                                      Entropy (8bit):5.998418289121845
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:6iLY8I1pq2jBTn9kbf0KNGVIYMcoS1JkEX5g7HxlF:/Z0PMcjrgF
                                                                                                                                                                                                                                      MD5:3AB0B86F5D058374AC789F05FB6C6E81
                                                                                                                                                                                                                                      SHA1:4C8142A6EA10F48735429B125ADC278178FA0082
                                                                                                                                                                                                                                      SHA-256:5F773968BD0501D91C4AE1339D248B4F766C39885B35088953AFB1BE6FBCC4E8
                                                                                                                                                                                                                                      SHA-512:1A6CC62361FDD20A99D9551E677269D9D67B6F4B66C09083E07AE5732C23FFE15A5E687437A16A27896A19DECEB9F23D7614B6CC44445C365E3A59DED1AEE6E2
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..B..........R`... ........... ..............................P.....`.................................._..O....................L..0(..........(_..8............................................ ............... ..H............text...X@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................3`......H........h................................................................(......}......}.......}.......}........o=...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po!...o....*..{....o0...r...p.(....(....o&...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16432
                                                                                                                                                                                                                                      Entropy (8bit):6.6559468525212
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:wXh+/DtYchNyby2sE9jBF6IYiYF8pA5K+oCGUHFeFl55qz:wXh+tYmNyb8E9VF6IYinAM+oCaF5qz
                                                                                                                                                                                                                                      MD5:8E2D0F47E477FAE8132492A31B26F1B3
                                                                                                                                                                                                                                      SHA1:6C3EB7CB1D5E942DC6A62767A701D201E2F69CE1
                                                                                                                                                                                                                                      SHA-256:7C8CD3B61286AAC09534541EDBFF10618938236830167581BD3E922CA55A1456
                                                                                                                                                                                                                                      SHA-512:B40EA70361F5AFCCB3DC41D38A4F302AEE00B9AAC206AD2DFBD1591A7722AF732BC820C3C66EA3BC0816D4C98E364D1345077EDC786ED19135659AC91E0CFC06
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ....................................@.................................",..O....@..(...............0(...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):75312
                                                                                                                                                                                                                                      Entropy (8bit):6.23943595769723
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:Tu2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYH:KF+qo7mDEwj4NXLGcfgruFcg7HxRt
                                                                                                                                                                                                                                      MD5:D5B69F2C4F5CB0E7D43D7F6C1C87DC7E
                                                                                                                                                                                                                                      SHA1:98FDA78C049D650E47C17D9072E82D87C1B59E9F
                                                                                                                                                                                                                                      SHA-256:6C1325D183C7CC3E516628921005F18BB5A191B0029AF93DFB022CA4C2ABBAE9
                                                                                                                                                                                                                                      SHA-512:D95C5CD5E9DAC57FA9C5DE8645F637363A5E787A8C521B09BFBEA56D01765F4FC31E4080BDCAD28BBD90FDB9BEE1CAB50E95FF13CFAC728405D87C3EFE3A387B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`.......w....`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):52272
                                                                                                                                                                                                                                      Entropy (8bit):6.4113040933608225
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:TQMnML8f1VNPa7fb8LRaIzlRK/usybUjuUY0vZKE8tcqPqZw+I39Wu1FEpYinAMU:T9ML8LW/usybGYVE8mZw+89Wu1e7Hxav
                                                                                                                                                                                                                                      MD5:94B12931B9032E80157DC27422393FEC
                                                                                                                                                                                                                                      SHA1:2B762FCA27538B55ACF736F7D65E293E5F15EAEA
                                                                                                                                                                                                                                      SHA-256:746AD9902D9310CC2F172736AC156018ECD3843BA58C8337DE017074B06CD645
                                                                                                                                                                                                                                      SHA-512:D943A39FDD74627514818DAF3434BD1ABEB4EE10077E8B10414098DDA2972851795A15CBD4CAD73A67D5171446E4A6D844CDF8BD705E72F34B7DA16678097BE9
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&............." ..0.................. ........... ...................................`.................................>...O.......4...............0(..........t...T............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................r.......H........E...s...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....P.........io ...&..i.X.P..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....P......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):398896
                                                                                                                                                                                                                                      Entropy (8bit):6.1343664856235245
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:5jS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvM:5+e55LgIkTmyAAfTnMLvM
                                                                                                                                                                                                                                      MD5:FACA1B5218F8EB76963366A6842E122D
                                                                                                                                                                                                                                      SHA1:41B281ABA7D7FE994EE6C77F7F71042885919EC0
                                                                                                                                                                                                                                      SHA-256:D779F3514666734455B5B2B7AEB035F7E1D7394CD445E332DD4D236E24D5C94E
                                                                                                                                                                                                                                      SHA-512:8F350CB3D0C13A701C67749E103B1E07EE1E2EF8EFE71B70CC728F8E21DC02922BAB241CA256695DAC9B225D450623E9F8DA055EA062E336D7F1CD9D2A3FB6D9
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`............`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1409
                                                                                                                                                                                                                                      Entropy (8bit):4.992215339808616
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:2dNQjY8L2PRRkMYaWcvJ9AwcPGnJg8vQpyriEWZoEs4h:cb8MRRkMVB9AwVbIQdsoEf
                                                                                                                                                                                                                                      MD5:766E089F9AF0DAD5BFD8B77167D1E0FD
                                                                                                                                                                                                                                      SHA1:0AD55E6BA596EFEB24867DC9FDCE4B3D2F2D904F
                                                                                                                                                                                                                                      SHA-256:1D95ED644BB7D706E5B8EBDCB875B23F8B21C62C53C701EB8B3385F770808D7E
                                                                                                                                                                                                                                      SHA-512:FD8ECF32094577A51579911AC3722D839A7B0874146B909EB8DC944CDB5DA459BFCF7EB64B47EC08F40515E6C38B4C4CBA1F4D9F9EB403E891A8710310DBAECA
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8" ?>..<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. xsi:schemaLocation="http://www.nlog-project.org/schemas/NLog.xsd NLog.xsd".. autoReload="true".. throwExceptions="false".. internalLogLevel="Off" internalLogFile="c:\temp\nlog-internal.log">.... optional, add some variables.. https://github.com/nlog/NLog/wiki/Configuration-file#variables.. -->.. <variable name="myvar" value="myvalue"/>.... .. See https://github.com/nlog/nlog/wiki/Configuration-file.. for information on customizing logging rules and outputs... -->.. <targets>.... .. add your targets here.. See https://github.com/nlog/NLog/wiki/Targets for possible targets... See https://github.com/nlog/NLog/wiki/Layout-Renderers for the possible layout renderers... -->.... .. Write events to a file with the date in the filename... <target xsi:type="File" na

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):883760
                                                                                                                                                                                                                                      Entropy (8bit):6.071504659955744
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24576:V1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQJ:V1n1p9LdRN39aQZUqM
                                                                                                                                                                                                                                      MD5:17A183A03C34B8EC1C91B3DD0B50E022
                                                                                                                                                                                                                                      SHA1:7D226520BE51BD71D05D7EB56793233794F87DA4
                                                                                                                                                                                                                                      SHA-256:381278035C5A8A4668D31B12F0BF3DEC6544E9668FED84DA038A8D21D233D72D
                                                                                                                                                                                                                                      SHA-512:AD5591F6B90A07C00F10EF19231BB3C766E9E27C2205AB3A32C15B7D0DE0F732A5600665E4302290C771F06370B23E4FF0AC63E51C1F36899F98CCB6BD5F8C01
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ...............................;....`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Newtonsoft.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):710192
                                                                                                                                                                                                                                      Entropy (8bit):5.960370699367048
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:hBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUW:hBA/ZTvQD0XY0AJBSjRlXP36RMGj
                                                                                                                                                                                                                                      MD5:53D8AD0BCDED36C2EEBD4D3C45A60BD7
                                                                                                                                                                                                                                      SHA1:9289840CB0518AF183BB41AB05428A6415B92AAE
                                                                                                                                                                                                                                      SHA-256:07A068EF96EE5F447282B42B1818FDFC372B674893E6742A5F83DDBC4DF13ACD
                                                                                                                                                                                                                                      SHA-512:41B19112B6CCE405E16153354223F4AFF548E9F55EDFDC158588E78D9EAA755E10865D7220B916EC14DAB4181C55C005B161B44AC011419EE85EFF5F65975523
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):284208
                                                                                                                                                                                                                                      Entropy (8bit):6.11766612253341
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:IZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHex:Ogo0WPVTXgk
                                                                                                                                                                                                                                      MD5:D1BA01295CAEFA1F00261AAA943FFDBC
                                                                                                                                                                                                                                      SHA1:54BE9D6F121721542E1B563804766592C9EBF14E
                                                                                                                                                                                                                                      SHA-256:F425945B4D1BD5D65776EE4FF4330F33947692EA5E797EDA3103B6E380196BAF
                                                                                                                                                                                                                                      SHA-512:DFFE1F15F635FD9C083B51C66DBE5C5C9B16516B8CA036B262765279FBF01FC521D10AE31288CA3FB5DAD4F8B6E744DDA33FB8698267C40970DCA9409178E067
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):22064
                                                                                                                                                                                                                                      Entropy (8bit):6.678784612747097
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:ty/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqpx:tuhMaVmzDC67EpYinAMxCJ
                                                                                                                                                                                                                                      MD5:35082EAB5825C9A9D021B5B97BE382B2
                                                                                                                                                                                                                                      SHA1:4716CBD843C8A2A1AA7ED7C95700672E9A863674
                                                                                                                                                                                                                                      SHA-256:B91E3FA4C89230B668EE2DE7D6824DAB708B981F1AE94E734445154BC8A3F6EC
                                                                                                                                                                                                                                      SHA-512:9F0FFB52E060910662AE7AA020AE836119BC609B3E0E9367C7C9D2F2975FC1DDEB1EC1B2F708704C22D666E778B787679BEE5A3CAB5868C09CCB5B57C9026BA2
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):97328
                                                                                                                                                                                                                                      Entropy (8bit):6.2419469146373485
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:3NSbHB6zBedWp71O37rGMsQ5gbDnTE8iayI2Sf+Ku6JhbDEhr4WTJ7HxQ:3N3OWMsQ56vd2s+KuYc9RTJa
                                                                                                                                                                                                                                      MD5:9F59EFE4EE7BFF13F5866311048A6A80
                                                                                                                                                                                                                                      SHA1:1F20929EE2BCC0BE40848CC739C6F31CAD13DA69
                                                                                                                                                                                                                                      SHA-256:32FB947BAD722480938922DC363DB76AB0079383C6D732B4998C302B03D87200
                                                                                                                                                                                                                                      SHA-512:CCCAAF2396AD1307AF0B51B424005BFB350508059CD9CF3E9641D396CCA3EC4C22EFB0329DF0AFD0B3888E07559B6904A0361B85A80A527CD3139161CFF91DAA
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0............" ..0..J...........h... ........... ..............................P.....`..................................g..O....................T..0(...........f..T............................................ ............... ..H............text...4I... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B.................h......H.......L...............<^.. ...\f........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Memory.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):138288
                                                                                                                                                                                                                                      Entropy (8bit):6.17954530016547
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:G3XFz0qjCIPMAxlUXUKoPfw0kG71AHK7cnO:U0qjCSRE+fw0kG719
                                                                                                                                                                                                                                      MD5:6D055BBD0463057997B216FA41FC1BAA
                                                                                                                                                                                                                                      SHA1:0E3B5685453BFE674252EEFE7B29DDFFE3394F36
                                                                                                                                                                                                                                      SHA-256:94571C1156471E113A0BA58686D0E0F8C8A18B7F5415A17CC00688D6901D6DD6
                                                                                                                                                                                                                                      SHA-512:D3D1FB3588D4AE7279244086069DEF2145FDD341099BD66B801CE1F7EB18F4F68B0043D3CF4BA5C8FA3FA680EF228C3371743AF1E9DCAA64711321EC6A94FCEC
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6wb.........." ..0.................. ... ....... .......................`......\.....@.................................?...O.... ..@...............0(...@..........8............................................ ............... ..H............text...h.... ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B................s.......H........ ..............\.......D.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):17968
                                                                                                                                                                                                                                      Entropy (8bit):6.673983708245621
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:Oh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBhKr+:Oy9eEpYinAMxCAcr+
                                                                                                                                                                                                                                      MD5:351EE6E0FBE6951D43F195DBFD34911A
                                                                                                                                                                                                                                      SHA1:2FAAD5BD1D08D9791C941F6F01BA41473C12DD1F
                                                                                                                                                                                                                                      SHA-256:8B4AF4380F5083A9DC11F5E74FEA942A34DE4AA3740EE0DBCEF92A95AFD656F6
                                                                                                                                                                                                                                      SHA-512:00A0600E0E4541058B8FF5A7314E0C2779B5BA5E3F9FBE9F15556E84D84D8B3C0317116B29A832CB038457EF6CE1FA88149C18E7DD33D27A3ADD3AFFAC5FF9D7
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ....................................@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote.zip

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):342316
                                                                                                                                                                                                                                      Entropy (8bit):7.999331258360695
                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                      SSDEEP:6144:Ir6VUI82xfkgpWrvL/JVW2L3ukK29GSya5GZ7F2vtVygTNBr6VEZGqTkxU4sAQgY:Ir6+jAfk/rD/J3Lun8EaekVcgTzr6GZR
                                                                                                                                                                                                                                      MD5:09447F135F7F4486C165061CF443C569
                                                                                                                                                                                                                                      SHA1:3AD4264DB3112F845D35C112AABEA9CBB2E21AFA
                                                                                                                                                                                                                                      SHA-256:0142E2CA4F93C9631591065DC53944A86E4B961620F4FAF1FE8B61A8B2867C9B
                                                                                                                                                                                                                                      SHA-512:BE678FB5CA389198A5CC474C8E9E9D0C79A92A582CB81325B13D8BE226725AD04FAA6ECC3B4B7CECAEDAA6F15EC13F01C0276100EE19FAAF0A1B1DD7D061F31B
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:PK..-.....#D.Y.V.:........-...AgentPackageSTRemote/AgentPackageSTRemote.exe....(........m......~.;8w.8...N.....]..z..1.o.?.............b...T..*.....W......v....,.3.<~.@.U...F]....oCo..a..dR......Q.+.Q+.#B..7.\.@.>o.;..J7wd........H...m.G/.^Y..2..u.._.b.0.%T.U....,^........W.....MS.+...;..N..63d..m.0w._`V.J.t..g.x....?f=...81}j.SS.....*.z..M. ......=Y].yD.<..S..,.{..x&@g.&.}...A...y..<z`.Z.a.>H.......wo.k..]9.9..-.YvL..FhQ..P]..1.+~d.....'9...4O?.$h.....2.`..G....2T<..(.t..q.W#..]C.6/a...o....Q......c...X.....]q..U.%.....8...~..k....~.b...c3ob(G.&.S..8g.x.vO.Cz.yk.p5....i..-=.p...=^...wg.....N...R...TL..... ..uP...Q...... ..5....u..Ydn...RW..w.;).n.v.......WA.Q.........2....,Z....T..P..."....[h......~}..N.k...].6..M..|.......To.......'..Q...&.y.........v...OK8.e^..%>.e..B1:7.#..(..........;...79|.....n..u.,..[....#Q..........{...T...i..H....1.8.....S..|__....^Cu...*....M..T....r..._G,....H....T=..?3.X..{.5..".0(6...\V...p!..1..S...d

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):72744
                                                                                                                                                                                                                                      Entropy (8bit):5.510938920637226
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:r8V3tfciq9s2k7Xvpci+yLYCJoUu7Q6P+O76q:klPna02B86P+ON
                                                                                                                                                                                                                                      MD5:67FEF41237025021CD4F792E8C24E95A
                                                                                                                                                                                                                                      SHA1:C47A5A33F182C8244798819E2DC5A908D51703E8
                                                                                                                                                                                                                                      SHA-256:C936879FBB1AA6D51FE1CDC0E351F933F835C0BF0E30AEF99A4E19A07A920029
                                                                                                                                                                                                                                      SHA-512:232015FE6BEE6637D915648A256474FC3DF79415AC90BABDFC2E3DED06C2F36FCE85573EC7670F2A05126AA5F24A570B36885E386061666D9EAA1F0DA67A093E
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B.Pg.........."...0.................. ... ....@.. .......................`............`.....................................O.... ..P...............((...@....................................................... ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H........B...............................................................0..........(....9....(....~<...%-.&~;.....t...s....%.<...(...+~=...%-.&~;.....u...s....%.=...(...+~>...%-.&~;.....v...s....%.>...(...+~?...%-.&~;.....w...s....%.?...(...+*.*..(....*...0..-.......(.....3..*r...pr...p(....,.(......(....+..._*....0..(........(......~....(....,..*..(....~....(....*.0.......... ....(......i./.*...............&.........4...%.. ..o.......r9..p( ...,.*......s!.....s!............

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):541
                                                                                                                                                                                                                                      Entropy (8bit):5.097123194334321
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                      MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                                                                                                                                                      SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                                                                                                                                                      SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                                                                                                                                                      SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.ini

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):12
                                                                                                                                                                                                                                      Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:WhXRLW:WBRi
                                                                                                                                                                                                                                      MD5:B22628235C1F44AE054091C8FDC82D23
                                                                                                                                                                                                                                      SHA1:70C8E5ABD9D2D8A18B769F6E71819FB53B273B9B
                                                                                                                                                                                                                                      SHA-256:B31673E38897D5D84558E2745D02C553649A50063A9F0E7DE7E71BBA89916232
                                                                                                                                                                                                                                      SHA-512:C1097690938F3EDCBA20802DFB77880FB29D1F8B70C62FA76D1828613D57355FD04C0B3D26DA90128DB2DF2E63E4E30C8E195B84452C0931B8CB2F043D5BBA98
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:version=24.3

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):96808
                                                                                                                                                                                                                                      Entropy (8bit):6.179705686579105
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:FJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvO1762s:FQUm2H5KTfOLgxFJjE50vksVUfPvO1m
                                                                                                                                                                                                                                      MD5:C548EA0CD65F5981C2DF82A0177A9D3A
                                                                                                                                                                                                                                      SHA1:5D082BC6BC2D1F2267AE8525F3A528A0B58C3161
                                                                                                                                                                                                                                      SHA-256:BEAFAA0CF51CE914B58482094044A6CC742C3269431A812D5683CA3034ACCD84
                                                                                                                                                                                                                                      SHA-512:530AE2069185897612E0129135065954379F75F6C9F9DAEE3F7D9DFE49C7CEAFC8807DC866591F39337410FAFA76733705C316912F3A12AE85565ECB775476F4
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................;.....`.................................(f..O.......8............R..((...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):710184
                                                                                                                                                                                                                                      Entropy (8bit):5.960555604702895
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:UBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTU4:UBjk38WuBcAbwoA/BkjSHXP36RMGN
                                                                                                                                                                                                                                      MD5:1792F462B4908235FBA6B3B4B2203276
                                                                                                                                                                                                                                      SHA1:E1B0CF8559C330377E2DE7FEE9FCC0FC3D34566A
                                                                                                                                                                                                                                      SHA-256:8CA1C3651A6F118C80E712BCB9C44031EB3D8C7180A60EDA5F2B24A0584082A9
                                                                                                                                                                                                                                      SHA-512:7AB9E256A4359A5560BD8C10014591F350F2788F72693234C16AA0B75F95F9EE3CF5E219B97A33944A5E730202BD355064885FD060812EE150107FFC84C92F65
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\attendance-updated-time.txt

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):18
                                                                                                                                                                                                                                      Entropy (8bit):2.885513030399882
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:WYfSgdd:WYR
                                                                                                                                                                                                                                      MD5:18B938649FFD79C68238BB169D99EF17
                                                                                                                                                                                                                                      SHA1:C0175554D0B3C5EE372EF116396DA17EECCF444C
                                                                                                                                                                                                                                      SHA-256:91346E544331BB00D0CA4E281169C2DF9B584CD2CD0B4DBDDC40AC88AA778550
                                                                                                                                                                                                                                      SHA-512:198F49578D21C2657A92AE2ED7316526FE88930270BC94BD8315FF2D1864198D425A4228228134B3BE62BA320E9A6853FEDCA778CF136956E2BD9D980FCA1309
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:638724584717859488

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\lh.txt

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                      File Type:JSON data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):86
                                                                                                                                                                                                                                      Entropy (8bit):5.1634349996541005
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:YhKSLJf2B4VXdkTcernMPJNFH6qJYCnf2RO0Yj:Y5fVQTcUMxrH6qmCeoF
                                                                                                                                                                                                                                      MD5:4FCE3C235FCA85D5956F39303414BF92
                                                                                                                                                                                                                                      SHA1:2AEBA0BA179B36F5ADBA60F3EA3132E2899FCE3C
                                                                                                                                                                                                                                      SHA-256:D034BAE9E84670B56CF4A965CF8AD4DF137929EBC82A60AC3CA0291A2FBBB200
                                                                                                                                                                                                                                      SHA-512:4E00C72245821BE4778C5D9228FCA8FBFDAEA6756CDB0BF5BE6B7CA108065E3EE20A3EDAF471DE9EF2F2DEAF6352FC32F54B972AE9CC9E8E302503F292B0B806
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:{"DownloadedAt":"2025-01-16T18:13:25.4777156-05:00","Hash":"nNa6OtJ9rJZ/Bzy8rYj++Q=="}

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\log.txt

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1560
                                                                                                                                                                                                                                      Entropy (8bit):5.053361655526369
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:MNQ0/bqd+sVNPtiQ0/bqd+sVNP6Q0/bqd+sVNPMEK:MCUbgd5hUbgd57Ubgd5M9
                                                                                                                                                                                                                                      MD5:23FF4A3D7849DBFC7FB7BD7A600EA5A3
                                                                                                                                                                                                                                      SHA1:EF1A821F87CFDE6855630E275C5CC81C64E8882F
                                                                                                                                                                                                                                      SHA-256:AFAC82FC9DEA324FAF590D3DB8E41B2C1AF387FF75BA1554913EEE8DBC7EB9E8
                                                                                                                                                                                                                                      SHA-512:0939C930256A217A96CA6A084381C3141DF7CCD0E7838086C68BEC336A2F8A76500C251FCE37168FA1229F1317C4EADD0F73B701B5F098A15E0F98659B89FEA6
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:..14/01/2025 13:34:31 Failed to set key: RequestPermissionOption with value: ..Exception: System.ArgumentNullException: Value cannot be null...Parameter name: value.. at System.ThrowHelper.ThrowArgumentNullException(ExceptionArgument argument).. at Microsoft.Win32.RegistryKey.SetValue(String name, Object value, RegistryValueKind valueKind).. at AgentPackageSTRemote.Persistence.AteraSettings.WindowsAteraSplashtopRegistry.SetValue(String key, Object value, SettingKeyType settingKeyType)..14/01/2025 13:34:31 Failed to set key: RequirePasswordOption with value: ..Exception: System.ArgumentNullException: Value cannot be null...Parameter name: value.. at System.ThrowHelper.ThrowArgumentNullException(ExceptionArgument argument).. at Microsoft.Win32.RegistryKey.SetValue(String name, Object value, RegistryValueKind valueKind).. at AgentPackageSTRemote.Persistence.AteraSettings.WindowsAteraSplashtopRegistry.SetValue(String key, Object value, SettingKeyType settingKeyType)..14/01/2025

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools.zip

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):687102
                                                                                                                                                                                                                                      Entropy (8bit):7.9992259812758135
                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                      SSDEEP:12288:YQCewZw3IoWZyN0mMaER+jcyO3IPYpP9UE9bIIVwSTgSC7mxc:YreT3xGmMaVjcKPEPR9bIIhYh
                                                                                                                                                                                                                                      MD5:96E50BBCA30D75AF7B8B40ACF8DDA817
                                                                                                                                                                                                                                      SHA1:4B1255280DFF8DE8B7BE47DEF58F83F6EC39DED6
                                                                                                                                                                                                                                      SHA-256:A3AD00CCB61BC87D58EB7977F68130B78A0B95E74D61E6A4624AC114CCDE5736
                                                                                                                                                                                                                                      SHA-512:0034C08CB878B703F272E3FD2734BB928FF1BDBA85CF79A151519B019C83BD4D199C80AF0AA30DB28EF82F7EE68A9D59DCAEDE92F83BFE8787F6A5D4D5E9817C
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:PK..-.....|G.Y~...........3...AgentPackageSystemTools/AgentPackageSystemTools.exe....(........j.......Ft..Q.h.;o..'..dc..x....W...<a6.R....[C?.}....$.Z#...T/....1.Wa.k~..............~..L.+..O.r.........b..(Y...|....Z...f..@..c...N.@.B<..........fc7.p.e.M.+....\..X...1. ....Z..~.O.d.... .....q.-<^.ER..Eic:.+..O.w....W.[.5..d-.d...S.TJ....[.d...I.V?19.w|..:.XF..\........?....a..W.....i.......~....9..Z..0".....P....rD..k..5..6...#l3...@.....E`.....O+......J|...x.@.^....Rs.F4.Dt..*.......T..+.....\..O.....8..O..e....==J.....-\.vk....oG.jk....g9H.K...Qd.>...U.N<.A(?......k.... ~.4...@Iy..h."`n......JD..%..Rw.....P/..!<S.4q=...R[S..Nyx.+....C..x...c..o.e'.6...9..*."M/. Zr.z.Q.H..T....F...W.....&..G.Am4g....Q.X..y`.m.gC1...G~.0Y...[R\QL99[.Ad.....]=.....D.t@....NV?..M....t.d.M.U%.c.._........&..S..z..Q.........|B...Ih...../...0.;...Q.51c.S..D3.`.(o..z.....8a....j..xZ.....R]ln.d.|../.....< ...B.X..64.xK........s......jd.m.H..|...Dy.....`'...B

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):51752
                                                                                                                                                                                                                                      Entropy (8bit):6.286975372577971
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:isXr7JfmSn0jVGcxf3OI3NjkfE53Tnz8zHFeDZkqEpYi60yHv:iOFnart3NwfE5Dz8REZkL76bHv
                                                                                                                                                                                                                                      MD5:5BB0687E2384644EA48F688D7E75377B
                                                                                                                                                                                                                                      SHA1:44E4651A52517570894CFEC764EC790263B88C4A
                                                                                                                                                                                                                                      SHA-256:963A4C7863BEAE55B1058F10F38B5F0D026496C28C78246230D992FD7B19B70A
                                                                                                                                                                                                                                      SHA-512:260B661F52287AF95C5033B0A03AC2E182211D165CADB7C4A19E5A8CA765E76FC84B0DAF298C3ECCB4904504A204194A9BF2547FC91039C3EC2D41F9977FF650
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....gg.........."...0.............^.... ........@.. ...................................`.....................................O.......`...............((........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...`...........................@..@.reloc..............................@..B................@.......H........C...r...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o ...o .....(!...*..0..........r...p... .....r...p.(.....o......(.....o.......("..........s......[o......s....%.o........o#.......s$..........s.......i.J.....%......io%.......o ...o ...(.........o&...*..('...*...0..].........~(....~(....~(........

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):923
                                                                                                                                                                                                                                      Entropy (8bit):5.156246271896278
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:Jds4F7k1hOXrRT2/2E10PT2/+w0E1UrPT2/+7Trln:3ss757Rkqk+wik+7Nn
                                                                                                                                                                                                                                      MD5:D6FCBCF9C6ABC2F051772E7A7D5EDFD5
                                                                                                                                                                                                                                      SHA1:33D9962BCC42F021A7CEADF3D1C613B4643C66F6
                                                                                                                                                                                                                                      SHA-256:F523D40AE141AA8899B053D77117FCF50639708757AD4A050F3A11E8582A894A
                                                                                                                                                                                                                                      SHA-512:07DA40F1C43A1E35582ADE5DBBAEB47EC2922C42241BD4B950EFA76407597CF838338E27F3F5197E02F5209B27542207BEDBA9B85681955E3C326C95C1F5AC22
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />...</startup>...<runtime>....<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.....<dependentAssembly>......<assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />......<bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.....</dependentAssembly>.....<dependentAssembly>......<assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />......<bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.....</dependentAssembly>.....<dependentAssembly>......<assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />......<bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.....</dependentAssembly>....</assemblyBinding>...</runtime>..</configuration>

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.ini

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):13
                                                                                                                                                                                                                                      Entropy (8bit):3.5465935642949384
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:WhXSgXn:WBZXn
                                                                                                                                                                                                                                      MD5:EB0865EBB86960EC4069DECECBF43ABC
                                                                                                                                                                                                                                      SHA1:9BA2E92AB9F9DB9242EFDC5FA356B2D7D1F52D7D
                                                                                                                                                                                                                                      SHA-256:BEFABB04180AC3DA1D823D4CDF9F3636832F5115BC42F7E39CB26A56FB794CA4
                                                                                                                                                                                                                                      SHA-512:5E8BDA4CA7B3C89FD38BE682DB8D5BB1B5567CE1A25116D539A1510BDAF11E3EBFAE835EC1B54BEDF5D38DACE58EEE63AFCD8049874DBFBB02A34B368AA25322
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:version=27.12

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.Mutex.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):14888
                                                                                                                                                                                                                                      Entropy (8bit):6.879525569919863
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:wC9aM0P8P2Nyby2sE9jBF6IYiYF85S35IVnxGUHFi3o86A/pT:wC9abP8ONyb8E9VF6IYijSJIVxu6A/pT
                                                                                                                                                                                                                                      MD5:8BD230F842430C8DD3BE4722B15A779B
                                                                                                                                                                                                                                      SHA1:34422CB7617698BEB5CE61D24C2FC4935F8DEEA9
                                                                                                                                                                                                                                      SHA-256:E94DB759123A44C61ADDF525BBF3E08FFA85529061A48D68BC636F171A3EFB77
                                                                                                                                                                                                                                      SHA-512:A7BCDB7613E74CBDDDEDAE8A895B91F21AFF9464A52D0EC5DDD3144DE9F2AB2CB2D3A7C2A1C976E0AB982A122332DE54787B6C2F3FB1BDD529FA974154420772
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............'... ...@....... ....................................`..................................'..O....@..L...............((...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................'......H........ ..............................................................R.(.......s....}....*2.{....o....*6.{.....o....*BSJB............v4.0.30319......l.......#~..p...l...#Strings............#US.........#GUID...........#Blob...........W..........3..................................................................8.....@...........k.g.................................T...........].V.....V...................A.!...........H.!.1.....!.c.).........V.............8.....P ............

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):112680
                                                                                                                                                                                                                                      Entropy (8bit):6.1795911171130955
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:QtsGQngrGJbFzxsIehOKHbevOblTQFHMbd6U/pC18VdUEvfkAS07K760:Q6fBzxWoOOibd6U/Y18hK07KD
                                                                                                                                                                                                                                      MD5:195C0C9415221A7144C7614FE4A7487F
                                                                                                                                                                                                                                      SHA1:2FF047CA961B801683E0FF1832475B3C7C3E1B15
                                                                                                                                                                                                                                      SHA-256:A9E0FD283F4B8CDAE56E1AE2C8996489B7FF9379B0029A6C9AE71FE9DADCC12E
                                                                                                                                                                                                                                      SHA-512:74DA09B893D2F0CD9F7542D7822E23B911C9900DD00A0E7458964901A9C03C4A42E848F2A1C1DE3592261A2D0626DD82964731CB5A918FE31EDD31F4A32CF01A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....gg.........." ..0.............6.... ........... ...............................~....`....................................O.......8...............((........................................................... ............... ..H............text...<.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B........................H.......8...t"...........................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p( ...r...p(!.........("...(#.....&..*........00......:.(......}....*..0..Z............($...,......(%...*~..........(&........($...-..(....s'...........,..((.........(%...*..........&E.......0..G........{....,.(......5~)...r'..po*...rm..pr...po+...td...r...p(,..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\CredentialManagement.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):38952
                                                                                                                                                                                                                                      Entropy (8bit):6.309196886140639
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:/INsi1A6I1MLzHS0+iFJBn5gpKNEpYi60wgYF:gNsii6v/HS0+OJd5gpKm76tga
                                                                                                                                                                                                                                      MD5:B27F689B547835884AADE60304FC4860
                                                                                                                                                                                                                                      SHA1:72A9C72DC7F0D0312F09BBE3F605A36AF9D814B3
                                                                                                                                                                                                                                      SHA-256:01F80C32D73709B034E346256E4240F8A4336C7413A6B5F2DE3309F2233F53E0
                                                                                                                                                                                                                                      SHA-512:7BDF3A1B5895F31205D17E6A02A495D8875B0F0F802E0C1AD1F95DE391BD1317CCFD8C0A772EF4FB993598E746FBF203CE87E20AB46544C6F9A1C1101AE2E2B9
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..T...........!.....f............... ........... ..............................A.....@....................................O....................p..((........................................................... ............... ..H............text...$d... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H........2...O...........................................................0..+.......s.........~....%.(.....s............(.....*..........#........,..%{.....`}....*.%{.....f_}....*..0..>.......................(....}=......}>......( ...}@......(....}?....*R.{....,.r...ps....z*:..(.....(....*...0............(.......(.....*...................J.{....-..&..}....*6.(.....{....*:.(......}....*6.(.....{....*..(.....(....,.r]..ps....z.o ... ....1.r]..ps!...z..}....*6.(.....{....*..(...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16424
                                                                                                                                                                                                                                      Entropy (8bit):6.854928178747648
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:D1c5aLPiraWj4/wLNyb8E9VF6IYijSJIVx99hvHalN:D1cGmXNHEpYi60X9SN
                                                                                                                                                                                                                                      MD5:63BDE840E460E4C8546366DF319B2C1A
                                                                                                                                                                                                                                      SHA1:9DA75B897704BA1B28091F1D442A832EB175D648
                                                                                                                                                                                                                                      SHA-256:5907BFCC210749BDC7619CB1A433C90A3280005D5DA344D134748B336F86EB55
                                                                                                                                                                                                                                      SHA-512:04C3248EE12D7E199B7B9EA45C9B001082D1D6E8BE166F2BAFDCF28F4ABD9B029A08610ACA0ABAFA968C1E3361042876F410E2000FB97A1500D5FA60C4026D08
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....gg.........."...0..............-... ...@....@.. ..............................Th....`..................................,..O....@..................((...`.......+............................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........!..$............................................................0../.......................(....}......(....&(.....{....Y*..0..D.......................(....}......(....-.(.......(....s....z(.....{....Yn*..(....*.0..t.......r...pr...p...s......o.... ....(.....s......o....&s......(....vl(....o......o.....!..(....&..(....o....&.o......&...*......S..o........7..R.!....BSJB............v4.0.30319......l...T...#~..........#Strings....\...4...#US.........#GUID...........#Blo

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1017
                                                                                                                                                                                                                                      Entropy (8bit):5.00184675687532
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:JdArdEtPF7NhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3Ar+z7O7Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                      MD5:8A743B2BAC31EB00D4BDA0EBC8DF160B
                                                                                                                                                                                                                                      SHA1:5564F6A8F02973D040E8409E21B2A18ECA2CA8EB
                                                                                                                                                                                                                                      SHA-256:31A69A6D9423CE1BCF98F5281DEB1B8F537D95609CDFA03AF9A41CBF00D1243A
                                                                                                                                                                                                                                      SHA-512:9F14C687EF076CEB4B903E2C5803DCB9401BDEADC00B0E090765E67B54E9BEEC733B087609D76C605C8485C7E446E8DB3A0D8AA3E17C969FC155F069070BB543
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):398888
                                                                                                                                                                                                                                      Entropy (8bit):6.134206560185113
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:3jS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvO:3+e55LgIkTmyAAfTnMLvO
                                                                                                                                                                                                                                      MD5:F391CCB7426246CEF39937C6C85FFCF5
                                                                                                                                                                                                                                      SHA1:925186A6A3F52512E3547EFB94AF3CE8C8A19F9F
                                                                                                                                                                                                                                      SHA-256:506D6F045E379C944291C4D42877AC80D767FE761DB878C60D4907862395509D
                                                                                                                                                                                                                                      SHA-512:CB86079DF5D791C1900466B079BEF0614B873C3617B85A02C32E4C052ABFF0C7B87429BA5062F8FBF878ACDB4E9D74B69516DB2C4628677DF05D109624DCE99D
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`.......I....`.................................v...O.... ..................((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):710184
                                                                                                                                                                                                                                      Entropy (8bit):5.960602645180309
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:mBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUc:mBjk38WuBcAbwoA/BkjSHXP36RMGt
                                                                                                                                                                                                                                      MD5:FCA140489085D8088D8A3BBC0EADF117
                                                                                                                                                                                                                                      SHA1:2EB49B4E7253D242EB7C2581453B11DCE83848FA
                                                                                                                                                                                                                                      SHA-256:89DF8434C10815C95DEC04BA45F9E7AA07DA3AE3B01227069F28F503DB8A6ABB
                                                                                                                                                                                                                                      SHA-512:F38226E0B6222F5FFA37C1DDFF42364574E50D7B2324AD11931E6A38A679E2AE7930C5B373CCB179AD36F229620DDDF9A1E20E4CF27FC2185698DC1B49F2BD07
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):18472
                                                                                                                                                                                                                                      Entropy (8bit):6.7042894099808645
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:OqfstMuZM62t0Nyb8E9VF6IYijSJIVxxCRFa8:OnMu66e0EpYi60EX
                                                                                                                                                                                                                                      MD5:3F901D04C4F0639CD2A8EB0658934363
                                                                                                                                                                                                                                      SHA1:020C122AC62E2D8DAED6F6E3F565AD95020DC7C9
                                                                                                                                                                                                                                      SHA-256:8D3EA5FECD13346F6CF7C1DD22A9A4ACEAB933237315F2CDB3E3336D203415F6
                                                                                                                                                                                                                                      SHA-512:DC5A4A8C7DBE10CA75A859CE252EBA04949E41990CEBA19981ADAC781009A666B83AB71C9A093812CE23BC3FA24405494C5F60C837C20E91268B28F2982464F8
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....gg.........."...0..............4... ...@....@.. ...................................`.................................d4..O....@............... ..((...`......,3............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H.......(#..............................................................6.(.....(....*...0..........s....%r...po......o......&..*....................0..%.......r!..p.s.......o.......,..o.......&..*.......................!!.......0..........r_..p(......i...r...p(....*....r...p....s.....r_..p(.....o.... ....(.....s........(....-.........o.....o.....o....(.......l&..-.s....%.o....%r...po.......L....(....o....&..&...o....,%.o....( ...-..o....(!...,..o....(".....,..o.....*....4..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):975
                                                                                                                                                                                                                                      Entropy (8bit):5.005145470654642
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:JdsHPF7NhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3st7O7Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                      MD5:DB02B24A7803C99F651940FECBE6E283
                                                                                                                                                                                                                                      SHA1:34EF3032B61E369535658D72BCE1E9908888EA0A
                                                                                                                                                                                                                                      SHA-256:207C4D442FACD06379217DD915D85D926DD622E72F6DB5814753FD2E5F8D0048
                                                                                                                                                                                                                                      SHA-512:9C76B6E3DBB34E2729F5C0E49A2A195C87AE11916A4479676AD09EE2C182DD83F87E826BA39DDF410B99A82EF1053571AA7A1E97426D396794C6E25E066C3849
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>.. <supportedRuntime version="v4.0" />.....</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):22056
                                                                                                                                                                                                                                      Entropy (8bit):6.67419471304358
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:Ky/fjFwUI/KQyVvKdDhG6ISDFWvYW8af0Nyb8E9VF6IYijSJIVxOq5eFQ:KuhMaVmzDC6k0EpYi60GFQ
                                                                                                                                                                                                                                      MD5:8802D420754BF1D2D0375E7616A8C0E7
                                                                                                                                                                                                                                      SHA1:A6F98EE725ACD9143BB2513EEBC7D21BE055B6D3
                                                                                                                                                                                                                                      SHA-256:F9084AEDB6F80B41B1018F1983A746DC15AC290B5BF7D3096F68716049485997
                                                                                                                                                                                                                                      SHA-512:7627A626774ADCCEAF0461815AB8987C74DDFBACA401C734BE886DB8D8C9EA7FF9F1CE4CB50F1AF331C9B81823063EEF36C789B41583B7C60A1A5D05F90AC9A2
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ...............................E....@.................................sC..O....`..@...............((...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):64040
                                                                                                                                                                                                                                      Entropy (8bit):6.266246479247275
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:mYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1FHEpYi607zr1C:mKC9niwOepJ6TJPeb6NIUFg76Kzrc
                                                                                                                                                                                                                                      MD5:9057AF1C1137747ED13F9F1D1A60D3F8
                                                                                                                                                                                                                                      SHA1:6CAA9C3E940D3C5B8E0712ED5BD6A808FD7A1972
                                                                                                                                                                                                                                      SHA-256:FBF397A93F036A5A6BCFD5E9A0284CF0176BD14DE64E4112F62B9907EBB7A275
                                                                                                                                                                                                                                      SHA-512:45C09D503CF659063331BBFCB584BAA3145BD15853AA4D6D796869EC6C26EA9F3DE41FD93C95770421F7DD3B080B6DABA0BB461D5A591DEB59CCD4FF27CE6E1B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@...........`.................................k...O....... ...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):138280
                                                                                                                                                                                                                                      Entropy (8bit):6.178878143933301
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:NP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IJHf:Nh0qjC5RMOHO420kN1U
                                                                                                                                                                                                                                      MD5:22F621864F912999153ABBB388FA2201
                                                                                                                                                                                                                                      SHA1:B8DD279077A56F232B88E760E86EAB6E1643A27A
                                                                                                                                                                                                                                      SHA-256:F37138000A2A7B659746C2F1B5B04662EA3C6F3BBB99D8431E501E7C1A48B6B2
                                                                                                                                                                                                                                      SHA-512:A9A961EF94204D86A7F1DFF09F27647D205DEE0F66F6ABAA3BA24FE433A43577294D985F26A605D8D71A898BDE0EA2B7D2D9BA6904505D8E0DCE0E8A043D5343
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......N{....@.................................3...O.... ..0...............((...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):17960
                                                                                                                                                                                                                                      Entropy (8bit):6.6358275792286925
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:6TO9dQWXYW8a6gNyb8E9VF6IYijSJIVxJF08II:6Cn6xYEpYi60k8J
                                                                                                                                                                                                                                      MD5:EE85382C1837ED5F63F224AA54F55114
                                                                                                                                                                                                                                      SHA1:021EF0F6D8AA0B7E6220AABEA662CCF552D28255
                                                                                                                                                                                                                                      SHA-256:780A4CC22F54F6363E140A85A209348123CC95E50459EBCFFAC94658728D40A3
                                                                                                                                                                                                                                      SHA-512:B7EA109B76D80F4E811DAE61259F50064F5240FFE47EEBD40D0F7FDAAB9292C5003CD6EE5916EE11B444B78CF3F8A3707AEEAA4A8B86B61C8A56DEAC53E649D9
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^...........!.................1... ...@....@.. ..............................E.....@..................................1..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H........#......................P ......................................O..q.<.P$[p.;a<...Ci......K..!..&.d...FaLJ.....f..........w.E.E........(y...,.Lr..R..........T.z....5..;.. ....&V.=}.... .0.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):27176
                                                                                                                                                                                                                                      Entropy (8bit):6.332263296888565
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:Qn1VM0JrpNWDcIh6leOiDFIFBYp1+yWEpYi6018:QnvXYcIh6yFIFBYpcyX76T
                                                                                                                                                                                                                                      MD5:CA05B735DDFC8455DE0DCEB9F0D61AA0
                                                                                                                                                                                                                                      SHA1:1CFF8FA91F93C9AFED0DE4A3755C294F2EF73E30
                                                                                                                                                                                                                                      SHA-256:B639135A02AADB17FE574E926958DDCADEDB7D6AB1AE6B6A922A019D5E90DAE2
                                                                                                                                                                                                                                      SHA-512:85D9DA312F667633AB86508D0CBE08537B9FB933D823532B0F610C05316BD92510DB63CC48153A7E4B419C00AAB7158B4D0BDD887A1E4C366FCE7D9C0E966977
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..((..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing.zip

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):3264840
                                                                                                                                                                                                                                      Entropy (8bit):7.999888526840204
                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                      SSDEEP:98304:tXocgF/bGeL2rNCmtrWUw5WjYtwmiwzYi:tdC/SSg9zjYtwhwl
                                                                                                                                                                                                                                      MD5:8E70AF11D0EE2ABE139B40D67E70B73C
                                                                                                                                                                                                                                      SHA1:18582E88E16255D5D267904BDF0357EC9FF333E0
                                                                                                                                                                                                                                      SHA-256:5C687ADAA48B83DE220E8489E0CEB0093BE1F94260750C8D94A1B8497781327E
                                                                                                                                                                                                                                      SHA-512:3A845ED4AB368B0DDE7E98D77FB796E9070F6BB9472EA833E52B19EB5BD47260E0B288FD3C8D19235BD9DED6F7B11EA10985AD871C8F5C82751249301D3EE4A6
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:PK..-.....+a.Y$........../...AgentPackageTicketing/AgentPackageTicketing.exe....(........H........b.F..n..|.i.@.....>}X].C....E.6.Et.p......u4a5....;).:.|.j..5.8`.%.k....9...>H....{."[.E8.... ......N....yR..m..E....r..{h.o..d.{z.{..O.0w......[.....^...J.(h..H}........)z.0..d.3.... ....X49.;.Q...........FY.~5.?....NB..!.^...........!....}.X.!u..c.x.......zl...~j=...(.I..X9....<&..H..1..R.!...IxR..q...e0..\.9.*.U....6...@.-.4..........L5.\;'.6.s3.1...KrFJ.........^.{K.SJ.Y..(*.bI.>.K...:..}...`...X...\b.#.......K.;..h...../.h9H...|...T.tWqe....}.!...$.'[L!Z.......r....|..P...'Oy.V..&.]..>\b...z5W.x.VN.#.<.j..MF. `...]...<...'w.Jy$...74R.Fe..;J&w.=U%..............uYP.....q./.Y...$.X./d....._.W..T.+.c&?D..=.s..7.vo..]I..L.e..D......OO.^....!F/.0.i..19h>....v...i..i....j....n;........P.<Y1..T.a....a.....Js..l..Q.e.bMAw.H.$....s^.p.x..G..C.....j.W3....C.~fS...D....N......*.3.8.5.2omy....?.>N...........%..jK.:N.o..u...f...#..(.....,J..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):33320
                                                                                                                                                                                                                                      Entropy (8bit):6.272339196658384
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:a2G6bukIMKWcoIQEIhL4lylU9OfWtkfoi75yHiDMMXpO66REVmlRSNyb8E9VF6I+:PLKF6EIR4lXsIEDLseVmlRyEpYi60+D1
                                                                                                                                                                                                                                      MD5:2EC1D28706B9713026E8C6814E231D7C
                                                                                                                                                                                                                                      SHA1:7EF12A01182D28A5EBF049CC1CB80619CD1E391A
                                                                                                                                                                                                                                      SHA-256:C9514BF67DF87AC6CC1002F3585D5B6F7D4093A7A794D524FA8C635F052733DE
                                                                                                                                                                                                                                      SHA-512:9E23588DC6D721F42E309974C3F3089F845F10D1DEE87FB26213BA3810EE3C272D758632CF1C9157F6862BA0E582AFC49C1EE51540461F41840650F216F35AEB
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:Rig.........."...0..N..........~l... ........@.. ..............................{.....`.................................,l..O.......4............Z..((...........j............................................... ............... ..H............text....L... ...N.................. ..`.rsrc...4............P..............@..@.reloc...............X..............@..B................`l......H.......@4...6...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o....o......(....*..0..........r...p... .....r...p.(.....o......(.....o.......(...........s......[o......s....%.o........o .......s!..........s.......i.......%......io".......o....o....(.........o#...*..($...*...0..~.......~....r-..po%...(.....(&.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1537
                                                                                                                                                                                                                                      Entropy (8bit):5.0063120500114895
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FV0PH2/+w3VUrPH2/+789y:3sIk7O7RgdjdgFSagFsg+w3Sg+78w
                                                                                                                                                                                                                                      MD5:C3CA0AD8FE91D02044029A11A9480B1F
                                                                                                                                                                                                                                      SHA1:1FB4C1063460C48AC77D3D4702697A35727A5E51
                                                                                                                                                                                                                                      SHA-256:B2AED8BAB56D0FDBD1D6F1277A3257DFFBFD107BEB19320C0D1F4DC0E4AD3AEF
                                                                                                                                                                                                                                      SHA-512:50B18B6DD91CB691C8B77AB612A7172CE59881705A52F59880A29A0F81E910A61D3D4506AB53B1F945611AFE079B96A896F3F01442D3B68801B2748C68AE01F6
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.ini

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):12
                                                                                                                                                                                                                                      Entropy (8bit):3.418295834054489
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:WhWA:Wp
                                                                                                                                                                                                                                      MD5:9A5E9A329E4E73E0C499371205A810DB
                                                                                                                                                                                                                                      SHA1:5B6D85657D4ACD89867283FBE372E9E85C30686F
                                                                                                                                                                                                                                      SHA-256:D109087C4CA318CAD74B7560C32594D37181885ADBDC9348BA1DD35D47B35B92
                                                                                                                                                                                                                                      SHA-512:02BD5261B9E795ED5A07BADD65A6CF71D18751452FB44BDD424DFCC6C50BA7441E0066B125E731018FD6F1A8A002AC4E6961C7EFF21C36FBDA58C8015A100C43
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:version=30.3

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):112168
                                                                                                                                                                                                                                      Entropy (8bit):6.180159202167914
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:BgssVbDRgWchiMWXRIe0ZMTR8U3XTknAxb2waOn3ybQgLbYpm8GRUdokEWUpj76y:BUpviy8UHTRxrybQgLbGm8FUpjR
                                                                                                                                                                                                                                      MD5:5114EBB60AC0416A62499F4CB632FC87
                                                                                                                                                                                                                                      SHA1:2E38B97A6A1EA9B36F64339DD7FC3C58083ABAA6
                                                                                                                                                                                                                                      SHA-256:CC93928F16DADCDAB232332825BB744CD1E6AEC55E59EA14977AEF413EACD0FD
                                                                                                                                                                                                                                      SHA-512:07E673BA52EE82C59E6C3FFC9CF95F39BBFB7903E449A9AA49893879A94A61BB9296D653631DF5FEEB1EB9787512C6008901054C5A2509EDD7132F9477309942
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... g.........." ..0................. ........... ..............................=[....`.....................................O.......8...............((..........L................................................ ............... ..H............text....... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B........................H.......0...."...........................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p( ...r...p(!.........("...(#.....&..*........00......:.(......}....*..0..Z............($...,......(%...*~..........(&........($...-..(....s'...........,..((.........(%...*..........&E.......0..G........{....,.(......5~)...r'..po*...rm..pr...po+...ta...r...p(,..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):145448
                                                                                                                                                                                                                                      Entropy (8bit):6.2032780562233345
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:hRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIhj:X9XeDmzV2yzlhKLFU1lLVp1+2flYFnQi
                                                                                                                                                                                                                                      MD5:4423EF97B513D7BA0D2EEB1FCA4D28E2
                                                                                                                                                                                                                                      SHA1:7BD205977CBA7A6C21C89C5C9FEAA010B9C9298D
                                                                                                                                                                                                                                      SHA-256:EEC63220063690D7D953A1FB8F3798AE7D277A36482AD4EB804D526A7FE7C71A
                                                                                                                                                                                                                                      SHA-512:316C3C0478FC11FE7C94A31F895E7084FAD4F7C9ED08E19DD30536038FFA80C2B7AF769AFC9C51A2EABDBADA71912BC685E62FFB1123207663F9079BA4D96BFE
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ...............................X....`.................................#$..O....@..|...............((...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CredentialManagement.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):38952
                                                                                                                                                                                                                                      Entropy (8bit):6.310169343696597
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:eINsi1A6I1MLzHS0+iFJBn5gpKNEpYi60wgVK:XNsii6v/HS0+OJd5gpKm76tgI
                                                                                                                                                                                                                                      MD5:FC2E2EB6AA0EB01DEB3D5DDE95216C5D
                                                                                                                                                                                                                                      SHA1:11DAAA7ED638922C8CF473A4FF3BA56224510BFE
                                                                                                                                                                                                                                      SHA-256:862AA98B7C3A28A5B8377BA18BAB84D1D8D289A2EE5ACEB56DE43176CCDEF1C8
                                                                                                                                                                                                                                      SHA-512:A1216C57AE85612F2A48FB7988B61B449343963EF273B26CAE74D1AB18790872961A8AC2EDCA389B00C5C85B82B645F218F784F98F4F6125E6D3B7E00B7E45B1
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..T...........!.....f............... ........... ....................................@....................................O....................p..((........................................................... ............... ..H............text...$d... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H........2...O...........................................................0..+.......s.........~....%.(.....s............(.....*..........#........,..%{.....`}....*.%{.....f_}....*..0..>.......................(....}=......}>......( ...}@......(....}?....*R.{....,.r...ps....z*:..(.....(....*...0............(.......(.....*...................J.{....-..&..}....*6.(.....{....*:.(......}....*6.(.....{....*..(.....(....,.r]..ps....z.o ... ....1.r]..ps!...z..}....*6.(.....{....*..(...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):29224
                                                                                                                                                                                                                                      Entropy (8bit):6.670756678192546
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:3mYaXzmSJL6guJrdvc5tIZmQCaBj4QU3hOTVTDvAGvoOCcdcOFyF606Nyb8E9VFL:1SJh5tIYQzT5zyF60aEpYi60uc
                                                                                                                                                                                                                                      MD5:54A2B1EC2667987A308A52DEDF33C0D5
                                                                                                                                                                                                                                      SHA1:556461805105DCB765B7DC5D0E110B82908226DB
                                                                                                                                                                                                                                      SHA-256:1C9A08BC7802BD9F2486B4C967DF27729AE8805B0B6664A257C951ACA199B04D
                                                                                                                                                                                                                                      SHA-512:28A478AC767843924D4B90D42F3A40F033971CE0EDEC7D94BDB86C2659B8605051983C7F9B8223961D1866364F78DDACB6D613F09BF8ECFC1A209D3515FCE264
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p;_f.........." ..0..B..........Na... ........... ....................................@..................................`..S....................J..((........................................................... ............... ..H............text...TA... ...B.................. ..`.rsrc................D..............@..@.reloc...............H..............@..B................0a......H....... 3...-.........../.......2.........................................}.....(......}.......(..... ....(..... ....(.....(....o....*"..(....*..(....*...(.....{....,..+..+.-..{.....o....o....*...0..?.........+..o....,..+..+.-..o....o....,..+..+.-..*.o......,..+..+.-..*..0..J.........(.....(....,..+..+.-2.{.....3#.{....,..+..+.-....s....}.....(.....(....*j....$...s..........(....&*z.{....,..+..+.-..(......(....*..{....*.0...........{.....;.....(....,..+..+.-...}....*.{....,.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):219176
                                                                                                                                                                                                                                      Entropy (8bit):6.062824781472667
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:nYq80gPJle2CpcKyudA1+PVtMG8e7sw9CcHvhlt:nYqqbe2CSod5dtM8ww7PB
                                                                                                                                                                                                                                      MD5:9D744C31089704B1130E09E63B0A77EF
                                                                                                                                                                                                                                      SHA1:5EFBE59068AD3C09B29565F5A117347F5B85D0EA
                                                                                                                                                                                                                                      SHA-256:D9B9EFAF5C6B1D3EB726EEE5B6FE1517B4693C4E79BD9D36D3D9FB4F56E01E1D
                                                                                                                                                                                                                                      SHA-512:E4456196C56B43ABA2A804694B6177A6EB78D035BD1AD9A0163BCFDDD6FCF75C34AF08C849A8086B78347141C798A050FD33BD02CFAA1BCF679ECB928737D3A4
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j;_f.........." ..0..(...........F... ........... ....................................@.................................dF..W....`...............0..((........................................................... ............... ..H............text....&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc..............................@..B.................F......H........S.......................S.......................................r...p(................s.........*...0...........o.....=3A.o......o......,..+..+.-.....o......(F.....,..+..+.:B......oK...*.o.... 7...@........o.......o.....o.....o........(F.......,..+..+.:t.....{f...,..+..+.-......-\.o........([.......~....(....,..+..+.-5.o........oF........ob.......,..+..+.-.....}f.....&......o.......o....*.o.....\3%.o.......o.......t......(......o....*.o.....]33.o.........1&.o........

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):302120
                                                                                                                                                                                                                                      Entropy (8bit):7.175844791268153
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:9tDIk5C5mx115y505H0jIfJMSFk9X0jIfJMSFk9y:fGwJMykwwJMyky
                                                                                                                                                                                                                                      MD5:24E35FC5F23B651ED4C828208990F6B8
                                                                                                                                                                                                                                      SHA1:F7E295866E30105C0E9071B00A77EEC79F60B699
                                                                                                                                                                                                                                      SHA-256:CA054D78E0B23D9EE4C0E42C8F12AE9065D3D0DB4FBD5A535CA2E61FE8FF7D93
                                                                                                                                                                                                                                      SHA-512:E5F8905116BFFDDC60ADE11ABA3733F52BE6FAEA7C1AA57361BC9A395D770D478A1D90D729A94A39171F7D8EF5CF25F45EDF70470A3ECD6AF8C0DC27F1AE3078
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<.N..........." ..0..l............... ........... ....................................`................................._...O....................t..((..............8............................................ ............... ..H............text....k... ...l.................. ..`.rsrc................n..............@..@.reloc...............r..............@..B........................H.......@W.. u..........`...X...........................................V.(......}......}....*..,..{.(..........,..p .@..(................s....(....*.~.......~....(....~.......~....(....*..0..........~.....(.....{.....{...+..(......{.....{3.~.....3..{.....p3.s>...s....%.o ...%.o!...(6...*.{.....{3"r...p.{.....{.....r...p.("...(#...*...0..$.......s$....o%...(&...o'...((......&.....*.................0..Q.......r...p.().....,..(*...-....4r...p.().....-.r...p..q...(+.....q.....(*

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):432
                                                                                                                                                                                                                                      Entropy (8bit):5.0141792226861375
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:MMHdGzNFF7ap+5v5OXrRf/2//FicYo4xT:JduPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                      MD5:8F6EB9E75E6A6F0C0D58FB697C10CEDF
                                                                                                                                                                                                                                      SHA1:6944935DFDC33E0C6DB26869BF25EDA85A2622D8
                                                                                                                                                                                                                                      SHA-256:E2B8677434501735FB0233ED0CC2FFEE5BF6FB4387C51DBCB2585A70E42E4F08
                                                                                                                                                                                                                                      SHA-512:A946252B2E3705EAE751A2672D4ADE1499ECEB28C48B4BE6150C4201EE20A7B9A4450C75E06B07F5DAA3528041A566931D988FBD0C2EA90240D61008895BA44A
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):215080
                                                                                                                                                                                                                                      Entropy (8bit):6.030238846720031
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:Z1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7sw:AIzm6pOIgvr7p
                                                                                                                                                                                                                                      MD5:F4E5A12570C546887839144E366482A8
                                                                                                                                                                                                                                      SHA1:44462E129DD9DDF05623BBE3437FE64821F14787
                                                                                                                                                                                                                                      SHA-256:3CA6DCCBC420E9100F3BC9B3BDBEA6973816C62B8DC2A81FF22F6E842C10DD35
                                                                                                                                                                                                                                      SHA-512:8AD5A8B20B3EA96BB5044543D4556AEC224BF343023EB4C5CDD605EC8CA5A7E9BE329E71D9421268CD7FD4B0CA476C102AE0E4F6AE002363B15888D7DAA9E7B3
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..((...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):398888
                                                                                                                                                                                                                                      Entropy (8bit):6.1341588755904635
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:ZjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/Zmvnt:Z+e55LgIkTmyAAfTnMLvnt
                                                                                                                                                                                                                                      MD5:0F550F1F92AA94E930A6C68D805699C7
                                                                                                                                                                                                                                      SHA1:BFDAAE802A1479E01C0FB5165B7ECC951F82117F
                                                                                                                                                                                                                                      SHA-256:9DD7542BEFEDA3649F61AFAB2D82C1D8B26115F41E864A2F8264E709FC91812D
                                                                                                                                                                                                                                      SHA-512:5567706E01652BF7C7F56FA3FA49547D130CDE23AEE116E706F2868079011C5B263E5CC604B5662E1090B7AB2ABC205024DAAE484C836D6882E7464FBDA85E06
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`............`.................................v...O.... ..................((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):710184
                                                                                                                                                                                                                                      Entropy (8bit):5.960676959152574
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:NBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUgA:NBjk38WuBcAbwoA/BkjSHXP36RMGJA
                                                                                                                                                                                                                                      MD5:E9108FCACB095ED2823F69BAA9ED1D93
                                                                                                                                                                                                                                      SHA1:EE25D1E059F0CE1ADDD5E4B7A03853B36C884400
                                                                                                                                                                                                                                      SHA-256:0BA7E4BEDA6C8C7A6B877FC2B7E0B6F8A8F507658FCA54A912F8E45554C182D6
                                                                                                                                                                                                                                      SHA-512:21AED55252C9274266EB2CAF51D5B92762071E0B332CC5DDE7CC32C1782FA81B1140BD0F635016C6FEC0C4A172109825CF6E5EE5A93C6F0B1863CDCEE053AA4F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......./....`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):154664
                                                                                                                                                                                                                                      Entropy (8bit):5.990887534367274
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:s4wM6OoRu7qywKsqxhDuPr5xJMnOfMAw3TkHjt0QQNOWIkHUsz72otHA3Qe:s4wZywKn/U5xEwKIk0W1e
                                                                                                                                                                                                                                      MD5:82B94D333BAF35B94599C989A1A8EECA
                                                                                                                                                                                                                                      SHA1:5DF13E96606E67B4D5275D3BB91B9A95AFD31617
                                                                                                                                                                                                                                      SHA-256:BB8180CBDF1CDC7E7EBC4D23DAE6224F05145EA2605BF76D18D49983F4756E04
                                                                                                                                                                                                                                      SHA-512:1EBBAC94643FC4D3A74230A006478F1D7DD6A8BA8F8608D7B69DE5C92E9BD3182CDB4183345C73B48B3752D04C060CE42ADB7E3A8C1A9424ED47364E4FE837E7
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.b..........." ..0..*..........6&... ...`....... ....................................@..................................%..O....`...............4..((...........%..T............................................ ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................&......H............D...................$........................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. R..0 )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...*..{....*"..}....*..(....*:.(......(....*"..(....*f.(....%-.&+.(b.....(....*..(....*"..(....*...0..%.........("...(#...($....#.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):22056
                                                                                                                                                                                                                                      Entropy (8bit):6.669568565502546
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:JrMdp9yXOfPfAxR5zwWvYW8aznNyb8E9VF6IYijSJIVxAPc:JrMcXP64LEpYi60F
                                                                                                                                                                                                                                      MD5:E5E7EB1598B17C8373BC0F0C5F937840
                                                                                                                                                                                                                                      SHA1:469D0F5A911EF1C80FC0E328F9E76A34583BB31D
                                                                                                                                                                                                                                      SHA-256:B883AFE3544A92BD429BBA8057F7C4AEAD683739E91F2CCA8F8147FE3327428B
                                                                                                                                                                                                                                      SHA-512:B2971B3D64578564F9A9DEC3616F85570C81AF65C596BA94A21578611C0DD3A834F5964636C4A10264D4A29B2EC2C74BED768DB4992CA2A43313025641BA932D
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ...............................L....@..................................B..O....`..@...............((...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):420392
                                                                                                                                                                                                                                      Entropy (8bit):6.109465884923044
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:q5douWvsWkOfjL/MEd6/7vfA8SCW1nFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFr:qpjblhW1L
                                                                                                                                                                                                                                      MD5:EA5C50754B3A11BE9489EAB04AB81031
                                                                                                                                                                                                                                      SHA1:A46386934C9D629956668F87740E4DA4147E07B7
                                                                                                                                                                                                                                      SHA-256:08A76A996C91AB785E4142621CDC3254B47175EC3A33FC8C3513ED8DFF554958
                                                                                                                                                                                                                                      SHA-512:AAA3B07127EEB6F2E058C6864248863D4BAA83CD4683791AB82C507E57EA2EEF6FD78C1FA29640CDF583EC12F8C13668F4D8DE79BF4387711D7EDBD28B826344
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....d.........." ..0..8...........T... ...`....... ..............................yT....`..................................T..O....`..p............B..((..........XS............................................... ............... ..H............text... 6... ...8.................. ..`.rsrc...p....`.......:..............@..@.reloc...............@..............@..B.................T......H........X..\V.................R......................................:.(;.....}....*..{....*:.(;.....}....*..{....*...0...........~<...}.....r...p}........(.....(.....(.....r)..p.(........(u.....~<...(=...,z.....s....}.......}.......}............{............%......(>....%...D....%...!....%...%.........%....%.........s....(B...*vra..p.(....,...}....*..}....*..{....*vr...p.(....,...}....*..}....*..{....*z.{....,......(>...o?...s@...z*.0..(........{....-..(......o....&....(j

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):64040
                                                                                                                                                                                                                                      Entropy (8bit):6.266365839467569
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:PYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1FHEpYi607zw:PKC9niwOepJ6TJPeb6NIUFg76Kzw
                                                                                                                                                                                                                                      MD5:55DD167763EB9C4FE8709C21FDCFECD9
                                                                                                                                                                                                                                      SHA1:A634B0897ED97161B62FF14B15B9AF9FBB760C7E
                                                                                                                                                                                                                                      SHA-256:970011EE897E5BD415A4D70641B6ACC58F0656CB7F87E7C529B90640E1068C81
                                                                                                                                                                                                                                      SHA-512:9F65B7AA10E046D0A64C67052DA8814BCE027239960B8768FF69922B90938299815A4D9D024CFABA296EC0EE2C9DC1FB2B6F8BAE9601235BB7BC34B6237C886F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@...... .....`.................................k...O....... ...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):142376
                                                                                                                                                                                                                                      Entropy (8bit):6.160369825867044
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:RUGrszKKLBFa9DvrJGeesIf3afNs2AldfIlqI:IBFd3/aFs2p
                                                                                                                                                                                                                                      MD5:817FAA0EF87B090956DC66ABE717C2F8
                                                                                                                                                                                                                                      SHA1:80C57CE1204908B0CD8BF696A9E54C55BF1C018B
                                                                                                                                                                                                                                      SHA-256:0EC0A4222FFAD1F56182B48B6DC62906A3354912B52CB8B5974D5DA6D0AFFF2E
                                                                                                                                                                                                                                      SHA-512:1B04F84E46D7C3894FE9437F3F1E35560FDA773D60413D5F607DE08409DAFBE241249145EC056871CA55B425E8CC39AD44F56F0D1D517149A902019902E7F6C5
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......u.....@.................................X...O.... ..0...............((...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):110120
                                                                                                                                                                                                                                      Entropy (8bit):5.510600631729483
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:kPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/Yb76dH:kWw0SUUKBM8aOUiiGw7qa9tK/Yby
                                                                                                                                                                                                                                      MD5:0325D05CE325053B86538BAE3677D036
                                                                                                                                                                                                                                      SHA1:F6BD3CE0E63F1502FCA3568F9A2FE8EE610A02F3
                                                                                                                                                                                                                                      SHA-256:E4A7BFBAB82F5632AF35A88392FD163F2B994FDF6898BE36166CF59D1DDDD32E
                                                                                                                                                                                                                                      SHA-512:0E7ABF0C24153D4924733DD6A6B867C68439FF58DB0DCB09A11033CDF9D93317C06876971936A35244E0BD4A751356781BA23F7B9F8BBC82C3EE27ED9ED829B1
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ...................................@.................................f...O.......................((.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):17960
                                                                                                                                                                                                                                      Entropy (8bit):6.6730203845205205
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:gh06sbbVVPWU2WYNNyb8E9VF6IYijSJIVxeBZcyP:gy9gpEpYi60AZn
                                                                                                                                                                                                                                      MD5:43D2A25330C937DBE092E763C728857F
                                                                                                                                                                                                                                      SHA1:FACA5B0028E066D20DD60BFC381E64183BD1EAE9
                                                                                                                                                                                                                                      SHA-256:7D38BCDD5A122941DA48F3B3464ED2BB2B3DE6AFCDAC951FBAFE827CA3A179D6
                                                                                                                                                                                                                                      SHA-512:43A7F23EB47AB06C231447619E71764853C7F47AC13071A5F1237D477CD5AFF4DD413EE8F60BBD21C5D96E3DD29C494802E71FE69B836FF679449083BA6C6E0E
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ....................................@.................................@3..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):19496
                                                                                                                                                                                                                                      Entropy (8bit):6.523503501017087
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:TyPa16oAL4D+wW9IWmDIW4IWYDa9Nyb8E9VF6IYijSJIVxFXao3O:TWs6oqDjADKeDa5EpYi60t3O
                                                                                                                                                                                                                                      MD5:5CCE0A003A3B4E3FCB05AD331737A629
                                                                                                                                                                                                                                      SHA1:F227F3D440B87FF6CA1DFCB05DB858422B6FB586
                                                                                                                                                                                                                                      SHA-256:98195B6ADD5D1B7357CF9CEACBC47180934050CD1F1CDC30D728CAF933F1F94D
                                                                                                                                                                                                                                      SHA-512:4A210A5ED4F406D7350DDBB9EE969F93F1CA3168A8034661927297319D778FEF95434E4C6D8981FDD17573C42DE013F7C765A39D9EFF8557932547DE47061C6E
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.............b2... ...@....... ..............................P[....@..................................2..O....@...............$..((...`......x1............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................B2......H........!..T....................0......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2r[..p.(....*B.....(.........*.BSJB............v4.0.30319......l...4...#~..........#Strings....t.......#US.@.......

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):41512
                                                                                                                                                                                                                                      Entropy (8bit):6.408720053739074
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:ejfAw5tisE7Mkvwtwq6uUQ/B0X5tl9wCVjkz3pVS3Upoztj9FgNyb8E9VF6IYij/:eksE74GX7nwOa5VS2ozd9FYEpYi60F
                                                                                                                                                                                                                                      MD5:7ADB4990E3417E540A8BA94265B3BB05
                                                                                                                                                                                                                                      SHA1:DC9040A3E3DBA544C34ECF8B709C41479390061C
                                                                                                                                                                                                                                      SHA-256:776D914F78177BE94DBCAC47AD3E9D97D9E31208F474A828540EE60E695C3577
                                                                                                                                                                                                                                      SHA-512:8EAEBE99366B7428281B1C0D87030C17E726E8B5D239F00DD29FFAA6F95C27FF443206488B6D08108663B6290F5421CD2BE34BA978BA6E4D94AA2F4CF197761A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...6Rig.........."...0..n..........r.... ........@.. ..............................;.....`................................. ...O....................z..((.......................................................... ............... ..H............text...xm... ...n.................. ..`.rsrc................p..............@..@.reloc...............x..............@..B................T.......H........!...............1..@Z............................................(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*j(....rY..p~....o....t....*.~....*..(....*Vs....(....t.........*.(.....(....(......,....s....o....*(....*.0..........(....o ...rm..p(!...(".....'...%.. .o#......i./..|s$......)...(.......(%....)...o&.......o'......i.0..+....o(......i.0..+....o)......i....+....o*...s+....o,.....,..(-.....&..*..................0..........(.... ....`(/.....&.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1547
                                                                                                                                                                                                                                      Entropy (8bit):5.008195800038022
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FVruH2/+mV0PH2/+w39y:3sIk7O7RgdjdgFSagFgg+msg+w3w
                                                                                                                                                                                                                                      MD5:029F543956E8B235A70112C77912150A
                                                                                                                                                                                                                                      SHA1:8F8916C78D9D3E5F92C37BDD39D34CD3B79BECA6
                                                                                                                                                                                                                                      SHA-256:33720B1985FE3F07F13744963085FA641F452EC393C3C8987A6023D0BC493BD1
                                                                                                                                                                                                                                      SHA-512:CF6EF25E7FD7E0B04A4F76B1552621874DAAA43838D0C028E62D1AABFFCD57AC7086A174BE9D5AF283DE8E8F09B5B40505478978102A1D8351681532B3828A38
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):78888
                                                                                                                                                                                                                                      Entropy (8bit):6.073747946605879
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:zEgQIe8mLShsE0EGB3GsoTcvlYksQf761:zleyi5ErsoTcvPsQfe
                                                                                                                                                                                                                                      MD5:41697838D5D0D8EDA1411C981C9B29A5
                                                                                                                                                                                                                                      SHA1:6895F922F9EAE7C86C44A123F68BA4047C8E84C2
                                                                                                                                                                                                                                      SHA-256:308EB6E0401D6C30DCB17A1740A9F83197E1A82EE3B885BEBE9D840B6110DC18
                                                                                                                                                                                                                                      SHA-512:C6031B6038D9EBF5A623C482EE034473D54001EF233AE4DBDE9F6AF5C52BDA29FC517B7959D4FCDFD0379AE89C4B60E5E10C6DB434A2B9E44918E4B266AE26AE
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.]..........." ..0..............!... ...@....... ..............................DO....`.................................Q!..O....@..................((...`....... ..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................!......H........X...............................................................0..........(....(.....r...p... .....r...p..(......o......(.....o......(.....o..........s......[o......s....%.o........o .....s!..........s"...%......io#...o$.....o%...(&.........,...o'......*......y.,........0..........(....(.....r...p... .....r...p..(......o......(.....o.......((.........s......[o......s....%.o........o).......s*..........s"......i.k...........io+.....(.........o,.........,...o'......*.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):953
                                                                                                                                                                                                                                      Entropy (8bit):4.9874198404771155
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:JduPF7NhOXrRH2/dVxlPH2/FVQ7uH2/F9y:327O7RgdjdgFSagFw
                                                                                                                                                                                                                                      MD5:8C9F9547ABA4CD154FAA858695986C4E
                                                                                                                                                                                                                                      SHA1:667630B8AEA31C20C20EE569983B73028F0DBA21
                                                                                                                                                                                                                                      SHA-256:7DE06E53089587194D3669B5F2050B363CC2AC1BC66F0537EC4D7AD94357D46F
                                                                                                                                                                                                                                      SHA-512:C305E923A197E2C39813D423FE50D94F183E932BCC66DBEE5667AD7F4083254D50510E35ED3603555FEB4C42F580C8A1FA3D1568CC7305D22B79AB406607F836
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):350760
                                                                                                                                                                                                                                      Entropy (8bit):2.90589251015886
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:4O11JSb/jb5LEH8VAynnnnnnnnnnnnnnn82Bw:e5W
                                                                                                                                                                                                                                      MD5:7A4CBB0228E97071A39E075AC95186E2
                                                                                                                                                                                                                                      SHA1:3711A1F3F76428AEDC2647532575C37A1629AC2A
                                                                                                                                                                                                                                      SHA-256:373437D726DD953113E193FF4028C77AA462BC8EAB53E4F770889746652C3958
                                                                                                                                                                                                                                      SHA-512:EBD2DBE33B6346D020BCE651664B903D31BAFBA4968F8EE8983E38C9EFF8EEA928364D7406945258CF35E805580B125160D061510F16F95900C3CFB276F11EC0
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9Rig.........."...0......d......>.... ........@.. ..............................%{....`.....................................O........a...........2..((........................................................... ............... ..H............text...D.... ...................... ..`.rsrc....a.......b..................@..@.reloc...............0..............@..B................ .......H........*...%..........TP..`............................................0............,t.....r...p(....-..r...p(....-..r...p(....-)+G(....(.....p...(....,.(....+*(.....X...(......,..(.... ....(....+..8...s.........(.... ....`(.......(....rA..p(....rQ..p.%-.&.+.o....(....(......r]..pry..p(....( ...(....,......(....,......(!....("...(#....o$..........s%...(&...(....%(....('...r]..pr...p(....( ...((...s)........~....(*...r]..pr...p(....( ...((....C..r...p(....(+...((...(....rA..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe.config (copy)

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1786
                                                                                                                                                                                                                                      Entropy (8bit):4.998101412964689
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:3sIk7O7RgdjdgFSagFgg+msg+w3Zg+wBw:8TizwzH
                                                                                                                                                                                                                                      MD5:DACBD4EDD0163701F63ADA3E81D8540E
                                                                                                                                                                                                                                      SHA1:219647896B3575AA8A07E2903D50304919C27CA7
                                                                                                                                                                                                                                      SHA-256:DF0FBC7B2A5449681549C81B7EB77B2CE8D3C0C62244C39442A73A0291124BCB
                                                                                                                                                                                                                                      SHA-512:5C725DEE661DF9FFE6D3723606FAF98F0B16094DAFC011CDE062436B351671E952A2C6CFA218E08785DBC2E69E97EC8218E1447683C1450C5BF9CCDC75C2EA73
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):350760
                                                                                                                                                                                                                                      Entropy (8bit):2.90589251015886
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:4O11JSb/jb5LEH8VAynnnnnnnnnnnnnnn82Bw:e5W
                                                                                                                                                                                                                                      MD5:7A4CBB0228E97071A39E075AC95186E2
                                                                                                                                                                                                                                      SHA1:3711A1F3F76428AEDC2647532575C37A1629AC2A
                                                                                                                                                                                                                                      SHA-256:373437D726DD953113E193FF4028C77AA462BC8EAB53E4F770889746652C3958
                                                                                                                                                                                                                                      SHA-512:EBD2DBE33B6346D020BCE651664B903D31BAFBA4968F8EE8983E38C9EFF8EEA928364D7406945258CF35E805580B125160D061510F16F95900C3CFB276F11EC0
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9Rig.........."...0......d......>.... ........@.. ..............................%{....`.....................................O........a...........2..((........................................................... ............... ..H............text...D.... ...................... ..`.rsrc....a.......b..................@..@.reloc...............0..............@..B................ .......H........*...%..........TP..`............................................0............,t.....r...p(....-..r...p(....-..r...p(....-)+G(....(.....p...(....,.(....+*(.....X...(......,..(.... ....(....+..8...s.........(.... ....`(.......(....rA..p(....rQ..p.%-.&.+.o....(....(......r]..pry..p(....( ...(....,......(....,......(!....("...(#....o$..........s%...(&...(....%(....('...r]..pr...p(....( ...((...s)........~....(*...r]..pr...p(....( ...((....C..r...p(....(+...((...(....rA..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1786
                                                                                                                                                                                                                                      Entropy (8bit):4.998101412964689
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:3sIk7O7RgdjdgFSagFgg+msg+w3Zg+wBw:8TizwzH
                                                                                                                                                                                                                                      MD5:DACBD4EDD0163701F63ADA3E81D8540E
                                                                                                                                                                                                                                      SHA1:219647896B3575AA8A07E2903D50304919C27CA7
                                                                                                                                                                                                                                      SHA-256:DF0FBC7B2A5449681549C81B7EB77B2CE8D3C0C62244C39442A73A0291124BCB
                                                                                                                                                                                                                                      SHA-512:5C725DEE661DF9FFE6D3723606FAF98F0B16094DAFC011CDE062436B351671E952A2C6CFA218E08785DBC2E69E97EC8218E1447683C1450C5BF9CCDC75C2EA73
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):59944
                                                                                                                                                                                                                                      Entropy (8bit):6.1324471704124885
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:Q6O442hHI1kIHLxnuFjBm+UuLcxVePk+CXVT+rB9ezGREpYi60j1W:Q6O4JuxnT+UuLMcBClyrvGGa76x
                                                                                                                                                                                                                                      MD5:FCE223AEDBE5FDFD5D1AF1F407A7E457
                                                                                                                                                                                                                                      SHA1:006331AAFD0898E17D7F873F81786DFFAD1171FB
                                                                                                                                                                                                                                      SHA-256:F4AE472EF2A816DD53F9A08A7E4C2604470FAD1C9F570BD6BBCA2E2EE7D31AE5
                                                                                                                                                                                                                                      SHA-512:3B6D1F6A844FB90BBEDDBAC9CBEE9BBD6B9E0E737E8DEBD3647AF20982B2D61622E708D7555800A15C1BE874BBBC2476A8F775B7D60F58E14C8798E925C202C6
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ....................... ............`.................................m...O.......................((..............8............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........X..0.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..s....}.....s....}.....(......o8...(...+}....*..0...........{....o.....8......(.....s.......}E.....u....}D....{D...,........s....(....&+ms.......}G.....u....}F....{F...,........s....(....&+8s.........}I......u....}H.....{H...,.........s....(....&..(....:J.............o.....*.................0..I........{....o.....{....o.....+...(

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1191
                                                                                                                                                                                                                                      Entropy (8bit):4.971943087661362
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:JduPF7NhOXrRH2/dVQ7uH2/FVxlPH2/FV0PH2/+w39y:327O7RgdSagFjdgFsg+w3w
                                                                                                                                                                                                                                      MD5:B8E88B1C181AFEB535BFEA1155000E8E
                                                                                                                                                                                                                                      SHA1:EB9066E96542DCE5F35DBF2F1424FD79ACEBB65F
                                                                                                                                                                                                                                      SHA-256:5D094CC46FED5173A2B1BE4C8E5DBDB658D2C14ABD367C47DFC6F6EABD5F295C
                                                                                                                                                                                                                                      SHA-512:58459651D3358FDDD4114AB569786A2306338C08D27D3D449BE2084EAE9D4A619C5650D3699DCA6702AEFDE8F9E77FD9E56C87EF51D4A8CCB2A22A378C488C37
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\log.txt

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1006
                                                                                                                                                                                                                                      Entropy (8bit):5.218656750424563
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:rSHCniIqr4CaniIYpSVGYSEuhdrC7U4APUrB:rSHoiKhiJwVGDEmOUxgB
                                                                                                                                                                                                                                      MD5:2AD6A4220FFC3CCC7F95E376377414FA
                                                                                                                                                                                                                                      SHA1:D00D09A7699B77582E675B3A2E2E15C266A7ACB2
                                                                                                                                                                                                                                      SHA-256:69C9B66169651E77AF96F6907C932A84E7DAD894AB3A4F270F6267FC31C6B010
                                                                                                                                                                                                                                      SHA-512:CA1C8FF907F82FB96467971B3305250C26C2B6ECDC5875E47C1114F257E56D0E7FF071CA216C31C61E9EF9E703521B73E3C5D9D546F7AA20026F9568F0E2958F
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:..23/01/2025 14:53:51 Problem: Failed to extract path: .. Exception: System.IO.FileNotFoundException: Could not load file or assembly 'ICSharpCode.SharpZipLib, Version=1.3.3.11, Culture=neutral, PublicKeyToken=1b03e6acf1164f73' or one of its dependencies. The system cannot find the file specified...File name: 'ICSharpCode.SharpZipLib, Version=1.3.3.11, Culture=neutral, PublicKeyToken=1b03e6acf1164f73'.. at TicketingPackageExtensions.DownloadAndUnzipNuget.ExtractZipFile(MemoryStream archiveFileStream, String password, String targetPath).. at TicketingPackageExtensions.DownloadAndUnzipNuget.RunSync(List`1 downloadRepos, String targetPath)....WRN: Assembly binding logging is turned OFF...To enable assembly bind failure logging, set the registry value [HKLM\Software\Microsoft\Fusion!EnableLog] (DWORD) to 1...Note: There is some performance penalty associated with assembly bind failure logging...To turn this feature off, remove the registry value [HKLM\Software\Microsoft\Fusion!EnableL

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):23080
                                                                                                                                                                                                                                      Entropy (8bit):6.4987430748917925
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:8LOGTOwM15TRwLm6or29Nyb8E9VF6IYijSJIVxyy1So:8nMTR0Pa25EpYi60H
                                                                                                                                                                                                                                      MD5:78E552CDB4CB2B0DE7A1CEF209C90CE0
                                                                                                                                                                                                                                      SHA1:26CA5C6511B224CF02BB1C0DC1B4579C268E4B30
                                                                                                                                                                                                                                      SHA-256:0FF7666BB20911A83680B6C1FF02341A503B347AE020434997580F5B2F2C29A2
                                                                                                                                                                                                                                      SHA-512:9D0FE6D3580B5D5CBA458CBF6C4AEDE62C3DD107D72A13805F605AC0674AB6130B669AAA4E96069C64F24523C7477BBA575C813011E2443108B7DCE33268004C
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.\.........." ..0..(...........G... ...`....... ..............................&D....`..................................F..O....`..L............2..((...........E............................................... ............... ..H............text...4'... ...(.................. ..`.rsrc...L....`.......*..............@..@.reloc...............0..............@..B.................G......H........)..$............................................................~....*.......**...(.....*...0...........~.....o......,..~.....o......+i.s(...%.o.....%.o.....%.o.....%.o.....%.o....o ....%.o....o"....%.o....o$....%.o....o&.....~......o........+..*..0............(.......o....o.......o%...o................o!......(....}.......o!......(....}.......o!......(.....o#.......(....X}.......o!......(.....o#.......(....X}..............s..........%..o.....#....%........o ...&*...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1817640
                                                                                                                                                                                                                                      Entropy (8bit):6.551365167856295
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:49152:d9EeNSPwEW3cFSI4Tfm3hvbHsjAJcAMkPR:d9Nzm31PMoR
                                                                                                                                                                                                                                      MD5:0E488B8F6A93F0148C1CD10588FA3BE1
                                                                                                                                                                                                                                      SHA1:4480B6DE0CE67A9DFC4CF70BBB00C8336629BBA7
                                                                                                                                                                                                                                      SHA-256:BFC17FCA01C65C1E5B32ED0225B354D9613764A3A51DF5B1C464031608D97179
                                                                                                                                                                                                                                      SHA-512:5D48FC54948C4FB80E0C506554F140476CEB6901BC9A1D11A577C2C6293415C1F69DE420E36E8840BDD8B5372F45A4DC8E2BBAC5CE21643A497CE77D925826EE
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........nN\.. ... ... .Q..... .Q...e. .Q..... ..Q#... ..Q%... ..Q$... .8..... ..].... ...!.~. .rQ(... .rQ ... .wQ.... .rQ"... .Rich.. .........................PE..d.....d.........." ......................................................................`.................................................P...x................!......((...........@..p............................A...............................................text...0........................... ..`.rdata...1.......2..................@..@.data....`... ...J..................@....pdata...!......."...P..............@..@.gfids...............r..............@..@.rsrc................t..............@..@.reloc...............~..............@..B................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1436200
                                                                                                                                                                                                                                      Entropy (8bit):6.78131691404635
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24576:as5ThI+vIjDEzn7tcBGtYnxLbdVlRdouD5RawYkGq78Yr4i9YE1tOvhefHXCvEsB:hlI+vIjE7mjOuKa8Riy+gvhaIn2+0y
                                                                                                                                                                                                                                      MD5:7C0A2478D0C82CAE07C4435E29A10D4C
                                                                                                                                                                                                                                      SHA1:DEA183C555F7DC655EF9A67CCF887F4529059E4A
                                                                                                                                                                                                                                      SHA-256:68DADEE50F471C04AEF8C9498997F7E7E60100C4D0047784C47F9E8C9BA287C1
                                                                                                                                                                                                                                      SHA-512:6F30F47F6AA27418025A4325604D7EC6931B73544D86705532DAFB8AAEA153DCAE63F58AB51FF49DC7A572B4B38E7BD0AEF2C3CB82C33CE8542DD4D17099AAA5
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..{2..(2..(2..(.*W(...(.*U(...(.*T(...(..)%..(..)'..(..)=..(.Im(:..(,.5(1..(2..(...(..)3..(..)3..(..Y(3..(..)3..(Rich2..(........PE..L.....d...........!.....f...X......................................................3.....@.........................P...t.......x....`..................((...p..X...@...p...............................@...............H............................text....d.......f.................. ..`.rdata..............j..............@..@.data....8.......,..................@....gfids.......P.......&..............@..@.rsrc........`.......(..............@..@.reloc..X....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent.zip

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):584433
                                                                                                                                                                                                                                      Entropy (8bit):7.9996007806235445
                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                      SSDEEP:12288:AaPKah+cOqB7YBiq57hmRYB2Vb7mde3FV/ruWIwUhA2yaJ4Gi1Cx/cL:xiBiqIYQF7/7ruQWA2Xxi1wS
                                                                                                                                                                                                                                      MD5:B50834694383960830CF48D9836E1108
                                                                                                                                                                                                                                      SHA1:ADC80813181B98A8296BEFA2960A55F939F3BFEE
                                                                                                                                                                                                                                      SHA-256:370A259808052366888284B0CC4C91FF8F23E8008003959B8D0EFB1ADBF00CD6
                                                                                                                                                                                                                                      SHA-512:F87BE933E87275B000BE031AA5DF7536DFD5FE9B99A607CE0904F206E074D3A0687A00654B9B78EDAA2FCCF3D30526E0EE5BD7DCBA4A5DAAFD6FC60EEAAA15C5
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:PK..-......FgY...........5...AgentPackageUpgradeAgent/AgentPackageUpgradeAgent.exe....(.......ch......75d..........z..L.....5...*...S.'.?...h.6..Eo....."y......5...z_...y..&....L..ZZ6.....=U...f...JYj......../..~.%......1,=....,.J....eG.=.i..G..I ..6m~.GO...............E,._&;>o.........{....@..Z.S......]....HS..TW...b...#Rh..H...p.|.A_..Q..NZ4`3a.....DE[.!.7.!.......@..]..ja..P.)..C...!g..UUG.........../..uW.&...!g..G.kv.z]C.-..p.....J..j.1".M..Wt.-x_.....&.g.k....Dc.}$".M....=..:......X?..i.peV..'.."-....e)0..'..D....v...1..1..g..X[...`....y....a...R...BE..:!.%{...v.:.K.#h.u..W..L.l..:.M..DXd.&.}......$.........:....D|t3......Q...&.".3>.@.....H.^.@..2. ..../.Y.............np....G.GU\......6.]i(.E).Z?yj..?V.Q.Q2.. ..q .Z4HN...W......G_.E*v3 ...A...4.....r...z..r..3~..i^..Qvj.:O*:.....+...>s&H.d..sF....V.8.~.'*......6..i......<....ol.($....8.E..s.....6...]WF!]P.I...\/..$....Q.4...r.b4S.Z.$..h....Y..5....v..n.2.K.w......(..?.UH..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):57896
                                                                                                                                                                                                                                      Entropy (8bit):5.807323990997079
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:rNvSjQvTQYc1IY1OwcujXQft0k5df9bq76In:rRSjQvMYcSIJcuMftH5d1bqL
                                                                                                                                                                                                                                      MD5:E9794F785780945D2DDE78520B9BB59F
                                                                                                                                                                                                                                      SHA1:293CAE66CEDBC7385CD49819587D3D5A61629422
                                                                                                                                                                                                                                      SHA-256:0568E0D210DE9B344F9CE278291ACB32106D8425BDD467998502C1A56AC92443
                                                                                                                                                                                                                                      SHA-512:1A3C15E18557A14F0DF067478F683E8B527469126792FAE7B78361DAD29317FF7B9D307B5A35E303487E2479D34830AA7E894F2906EFFF046436428ADA9A4534
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....,g.........."...0.................. ........@.. ....................... ...........`.................................<...O.......x...............((........................................................... ............... ..H............text........ ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B................p.......H........X...s...........................................................0..Y........o.......+C......o......r...p.o....t)...r...p(....,.........,..o.......&....X....i2..*..*...........$;..........8G.......0..#.......~....r/..po.......(....}.....{....(....,.rw..ps....z..{....o......r...p.o.......r...p.o....t)...}.....{.....(....,..r...p..o......}......}.....r...po.......r...p.o....t)...}.....{.....(....,..r...p..o......}......}.......,..o.........5.,..o......,..o......,..o....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):535
                                                                                                                                                                                                                                      Entropy (8bit):5.076084597400077
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:MMHdG3VO3rdZRLNFF7ap+5v5OXrRf/2//FicYo4xm:JdfrdDPF7NhOXrRH2/d9r
                                                                                                                                                                                                                                      MD5:D505E3DE03F172FA2B246E210054C5F7
                                                                                                                                                                                                                                      SHA1:F5A480F56F760EEBA3B29108387E54D70A721127
                                                                                                                                                                                                                                      SHA-256:A568F933F09B1AD1EE5E88DDCFFA1FE5921D18B73477136E1FAEE55F2BEF399A
                                                                                                                                                                                                                                      SHA-512:80F01447B43525DBDF5B283522FE14D9AECEF16E55EA3FE36DC0A94B53C49E03BB56136F0911C348FB78FB5AF6112B1DE7C38CBFFBD73ACB2971655EF1B2B859
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.ini

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):12
                                                                                                                                                                                                                                      Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:WhXSnn:WBe
                                                                                                                                                                                                                                      MD5:39DF0BC698F203A4FEF18A68A7B0EADC
                                                                                                                                                                                                                                      SHA1:0EA8D556AF659E0C8D6406B5B3E7E56EE6A10188
                                                                                                                                                                                                                                      SHA-256:F8DD3CEC3612C302B45EA9539002625E58E528A5CB68B4B0E6C3C2A378122C1A
                                                                                                                                                                                                                                      SHA-512:E6FF51381293BFD52EAE39B9868968A76D94BC993BAD5566C532A30E5EE5FE121C2F5B8EAED7ACEE59E3F6B8C1B3BEBB53B07B46F572F3498B1800B0DEAC128D
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:version=27.6

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):96808
                                                                                                                                                                                                                                      Entropy (8bit):6.179305078416296
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:nJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvO1762y9:nQUm2H5KTfOLgxFJjE50vksVUfPvO1c9
                                                                                                                                                                                                                                      MD5:BE16D0F73D33053C3817894C955BFA43
                                                                                                                                                                                                                                      SHA1:6B79C7034EE0E4DBC4B90ADC3B47BF395CAE052D
                                                                                                                                                                                                                                      SHA-256:434EA180FF3960ADF251CF34B8333A1BD70EAA7BDF42279317F2ECD7B7CCEAEB
                                                                                                                                                                                                                                      SHA-512:6F08EC35E1D194328CD923FC22C6BBAFB072497ABA03DAC59F8E78C99D2CC3C87237CC5178CFEBA52078AC729286B8221FD7A8CD676A5A49D2879C553DAB332A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ....................................`.................................(f..O.......8............R..((...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):186408
                                                                                                                                                                                                                                      Entropy (8bit):5.933461189028906
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:mkfZS7FUguxN+77b1W5GR69UgoCaf8/BCnfKlRUjW01KyFxYV:g+c7b1W4R6joxfQ8Y
                                                                                                                                                                                                                                      MD5:7989DFD7A0AF54F59AD5C3E483A66CF6
                                                                                                                                                                                                                                      SHA1:4F323F2E5174A789A31068DD76355447DB61AFFB
                                                                                                                                                                                                                                      SHA-256:0E47E3F0432060BAE79988A622AAB4334328F85FE443D764D4C81D94C9F3DBAE
                                                                                                                                                                                                                                      SHA-512:757182DF2492B66E06AA3B1854DAB487BB512FC5FBCE869CA4265218F5889D2D5B3748C2FC5B458FA148D10F3F5B61028DCA9B789F6766689BA1A24E9BE06936
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..Z.........." ..0...... ......~.... ........... ..............................,Q....@.................................,...O.......................((........................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):331816
                                                                                                                                                                                                                                      Entropy (8bit):6.168523582236471
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:ZBhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNTk:ZDMUWITZznu85k8Wdn8KmCjIFi3VvY
                                                                                                                                                                                                                                      MD5:41E6FC15337B1F2F556E3DE56D0DB476
                                                                                                                                                                                                                                      SHA1:EF8EAAC6EF9B00383B48762773A5110D7C2F3EEA
                                                                                                                                                                                                                                      SHA-256:81D43F8C0726143F28A33390B78E540C75F48733C3518B9D605C2E52AC0554C4
                                                                                                                                                                                                                                      SHA-512:56956F6BBB56BF481B1434ADC0D37303065206FC4ECA8787B6EC8CD089D7C619875C62BBD282F5F0D9A69820937651968CC343CF5AE251B08345997BDD0555C7
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@......f.....@.....................................O.......................((... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):710184
                                                                                                                                                                                                                                      Entropy (8bit):5.960700401761297
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:NBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUD:NBjk38WuBcAbwoA/BkjSHXP36RMG+
                                                                                                                                                                                                                                      MD5:2CFBB3EA34E3EAEFB478A1C0BF00190D
                                                                                                                                                                                                                                      SHA1:A9298FD5C46D97C296E06B9D9D4034C2EC657D57
                                                                                                                                                                                                                                      SHA-256:34FFBC77AEA4058D6B4EF621815B5C56EDD35585888FBCC2DE10E7B176EE3A3A
                                                                                                                                                                                                                                      SHA-512:DA46D62BB6466E9B8DF21E75C594C06CBF3D79C8FE6038469B74F6562CCA9B38A482F386034F7B3C0D9DEEA6C5D0420AFE0EA08E59B1BBDA1C07B866D9F0B352
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... .......r....`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):55848
                                                                                                                                                                                                                                      Entropy (8bit):6.238377987704794
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:SREoc0f5k1KlLoz0WOySMEpnSO7iX16UJKdiYpxDEpYi60WLS:SR8+5k15z0WBZEtgwJx876FG
                                                                                                                                                                                                                                      MD5:2FB2CD6CC7C0B40202165C2ACF27F3FC
                                                                                                                                                                                                                                      SHA1:D3125C28C46AD0083EA1EB65EAE6FA077908D985
                                                                                                                                                                                                                                      SHA-256:4E83AE51D18FABA26E8B1315C199AF46DF7A1AFB18390DB30337679DF54A7812
                                                                                                                                                                                                                                      SHA-512:C84CB5DE47798E6F0459BE87BCBA514FC14531F361909A2B81CFD6B477206B75C9F0F338C1477BF9A87BB7D08ACFEB99342EC5C9F1535F510BE742A27B5ED099
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....<V.........." ..0.................. .........c. ....................... ......s.....`.................................P...O.......H...............((........................................................... ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........".................."..P............................................................................................0.......................0.......................................................................................0...............0...................................................................................................0...............0...................................................0...............0..........................................

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):602672
                                                                                                                                                                                                                                      Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                      MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                      SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                      SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                      SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):73264
                                                                                                                                                                                                                                      Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                      MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                      SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                      SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                      SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):753
                                                                                                                                                                                                                                      Entropy (8bit):4.853078320826549
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                                                                                                                                                      MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                                                                                                                                                      SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                                                                                                                                                      SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                                                                                                                                                      SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallState

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):7466
                                                                                                                                                                                                                                      Entropy (8bit):5.1606801095705865
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                                                                                                                                                      MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                                                                                                                                                      SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                                                                                                                                                      SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                                                                                                                                                      SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):145968
                                                                                                                                                                                                                                      Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                      MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                      SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                      SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                      SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1442
                                                                                                                                                                                                                                      Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                      MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                      SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                      SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                      SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):3318832
                                                                                                                                                                                                                                      Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                      MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                      SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                      SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                      SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):215088
                                                                                                                                                                                                                                      Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                      MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                      SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                      SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                      SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):710192
                                                                                                                                                                                                                                      Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                      MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                      SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                      SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                      SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):602672
                                                                                                                                                                                                                                      Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                      MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                      SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                      SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                      SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):73264
                                                                                                                                                                                                                                      Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                      MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                      SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                      SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                      SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\log.txt

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):257
                                                                                                                                                                                                                                      Entropy (8bit):5.172971429921891
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6:AIic/ALHM9w3pKFSQ00LPY288S9UOB75Uk1DEIB754DX:9iTMSQ7YkS2OdNEId+X
                                                                                                                                                                                                                                      MD5:E7B8C53B41F918330D2F6135B92B9C69
                                                                                                                                                                                                                                      SHA1:DA6DA2B0A21DDF80078C0A6AD9BF8B2B9E1E06AE
                                                                                                                                                                                                                                      SHA-256:705E73C6586359B2D551FAAC1D36F60799EF3BC744905D5DD9EF887F99D6CF3A
                                                                                                                                                                                                                                      SHA-512:95BAE9022E78791CA5A3C79CC2406E182CFD33B5B1F9B758B479545862CDF1C831B0420C7237159F3FEB6CBDE31C255C424EF3ED7A2E3BC2F90399EB9D6554CF
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:/i /IntegratorLogin=contato@plasticoseireli.com.br /CompanyId=1 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q3000005bkCOIAY /AgentId=129f3953-acb3-4c59-97d2-68ee1acc4037.14/01/2025 13:34:15 Trace Starting..14/01/2025 13:34:29 Trace Starting..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\inprocmessaging\trayProcessMessages.json

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):178
                                                                                                                                                                                                                                      Entropy (8bit):5.089392440634589
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:5PbTsPJekISqNZWWSpigAdrmsZ6UgMHwirmfm/pYdss7Ro3Tufrsf3J2MzqRI+OS:RbTGeDSQ8zhuRgMHRmfvETuj25rmRcfy
                                                                                                                                                                                                                                      MD5:4E5AABA03B0A44FBF2817B79E428EA2E
                                                                                                                                                                                                                                      SHA1:26A1F26A9166D834F695EE365B3E99B1FA5C427B
                                                                                                                                                                                                                                      SHA-256:28F491DE758DB7C77924C6F58F1CF6F595A69361CC16A2AA2BD0F0B7599E8959
                                                                                                                                                                                                                                      SHA-512:5AB2E59FC8812488F4E308FA46FD356B1F53052EF3C32BAE209B14F509C68758FAB1DCBF5FB19CCBF57E24897EC9D4BA3AC2DEF1D4914184296FCB177D4E926E
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:eyJJZCI6IjliNzNjZDk0LTkwNDEtNDdiMy1iMTZlLWEwNDA1NGEzN2QxNCIsIkNyZWF0ZWQiOiIyMDI1LTAxLTE0VDEzOjM1OjEwLjExMTIwNzMtMDU6MDAiLCJNZXNzYWdlIjoiX0lOSVRfIiwiVGltZW91dCI6IjAwOjAxOjAwIn0=..

                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):257
                                                                                                                                                                                                                                      Entropy (8bit):5.172971429921891
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6:AIic/ALHM9w3pKFSQ00LPY288S9UOB75Uk1DEIB754DX:9iTMSQ7YkS2OdNEId+X
                                                                                                                                                                                                                                      MD5:E7B8C53B41F918330D2F6135B92B9C69
                                                                                                                                                                                                                                      SHA1:DA6DA2B0A21DDF80078C0A6AD9BF8B2B9E1E06AE
                                                                                                                                                                                                                                      SHA-256:705E73C6586359B2D551FAAC1D36F60799EF3BC744905D5DD9EF887F99D6CF3A
                                                                                                                                                                                                                                      SHA-512:95BAE9022E78791CA5A3C79CC2406E182CFD33B5B1F9B758B479545862CDF1C831B0420C7237159F3FEB6CBDE31C255C424EF3ED7A2E3BC2F90399EB9D6554CF
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:/i /IntegratorLogin=contato@plasticoseireli.com.br /CompanyId=1 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q3000005bkCOIAY /AgentId=129f3953-acb3-4c59-97d2-68ee1acc4037.14/01/2025 13:34:15 Trace Starting..14/01/2025 13:34:29 Trace Starting..

                                                                                                                                                                                                                                      C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):145968
                                                                                                                                                                                                                                      Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                      MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                      SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                      SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                      SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                      C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1442
                                                                                                                                                                                                                                      Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                      MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                      SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                      SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                      SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                      C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):3318832
                                                                                                                                                                                                                                      Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                      MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                      SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                      SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                      SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                      C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):215088
                                                                                                                                                                                                                                      Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                      MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                      SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                      SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                      SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                      C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):710192
                                                                                                                                                                                                                                      Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                      MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                      SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                      SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                      SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                      C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):602672
                                                                                                                                                                                                                                      Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                      MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                      SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                      SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                      SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                      C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):73264
                                                                                                                                                                                                                                      Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                      MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                      SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                      SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                      SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                      C:\Program Files\dotnet\LICENSE.txt

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 text, with very long lines (514), with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):9519
                                                                                                                                                                                                                                      Entropy (8bit):4.902271147017698
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:ydP0KvBLCqikR/EgGJLrlwD+eilNi5Py1SDeoDXDw9lF5OMz6Q:PWBuqikR/EDJLriwlNi5KI1Tw9lF5OjQ
                                                                                                                                                                                                                                      MD5:31C5A77B3C57C8C2E82B9541B00BCD5A
                                                                                                                                                                                                                                      SHA1:153D4BC14E3A2C1485006F1752E797CA8684D06D
                                                                                                                                                                                                                                      SHA-256:7F6839A61CE892B79C6549E2DC5A81FDBD240A0B260F8881216B45B7FDA8B45D
                                                                                                                                                                                                                                      SHA-512:AD33E3C0C3B060AD44C5B1B712C991B2D7042F6A60DC691C014D977C922A7E3A783BA9BADE1A34DE853C271FDE1FB75BC2C47869ACD863A40BE3A6C6D754C0A6
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MICROSOFT SOFTWARE LICENSE TERMS..MICROSOFT .NET LIBRARY ..These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to the software named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft.. * updates,.. * supplements,.. * Internet-based services, and.. * support services..for this software, unless other terms accompany those items. If so, those terms apply...BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT USE THE SOFTWARE...IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE PERPETUAL RIGHTS BELOW...1. INSTALLATION AND USE RIGHTS. .. a. Installation and Use. You may install and use any number of copies of the software to design, develop and test your programs... b. Third Party Programs. The software may include third party programs that Microsoft, not the third party, licenses to you under this

                                                                                                                                                                                                                                      C:\Program Files\dotnet\ThirdPartyNotices.txt

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 text, with very long lines (755), with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):96177
                                                                                                                                                                                                                                      Entropy (8bit):5.252050138452329
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:HA9jHwLvGfgg39/zwgAVkguQhrDjugtSEGepkWvrpX7anuqdLSVnfiStPq+3LefF:HA97wyogz1AVxuMjHtSFULryLOgrGWwc
                                                                                                                                                                                                                                      MD5:90630D9EE3E0A5672166A45E00F79A5F
                                                                                                                                                                                                                                      SHA1:D1148F8C7558E9B8A81BF1F50F9E3BED89D9928C
                                                                                                                                                                                                                                      SHA-256:1271701F435F7FE4AA81DC7E273CA80B6391B73580EE20B35A956052C95DE4CF
                                                                                                                                                                                                                                      SHA-512:29E10BD57D1C580ECE70B9B7C4A69DC036A5A64012EB89BA360A71BE6B808150610EA0737351277A3D4235C02323FABEF29F092FA6B2A40F0289F55A7973E93D
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.NET Runtime uses third-party libraries or other resources that may be..distributed under licenses different than the .NET Runtime software.....In the event that we accidentally failed to list a required notice, please..bring it to our attention. Post an issue or email us:.... dotnet@microsoft.com....The attached notices are provided for information only.....License notice for ASP.NET..-------------------------------....Copyright (c) .NET Foundation. All rights reserved...Licensed under the Apache License, Version 2.0.....Available at..https://github.com/dotnet/aspnetcore/blob/main/LICENSE.txt....License notice for Slicing-by-8..-------------------------------....http://sourceforge.net/projects/slicing-by-8/....Copyright (c) 2004-2006 Intel Corporation - All Rights Reserved......This software program is licensed subject to the BSD License, available at..http://www.opensource.org/licenses/bsd-license.html.....License notice for Unicode data..-------------------------------...

                                                                                                                                                                                                                                      C:\Program Files\dotnet\dotnet.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):146744
                                                                                                                                                                                                                                      Entropy (8bit):5.79986521836759
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:tEsPhV8tszk08NHPNZewbrfLLAISe7OQ4sfDW99zj:isPhjXoKwPjae7O1sfDov
                                                                                                                                                                                                                                      MD5:71026B098F8FB39C88B003DF746D9FA0
                                                                                                                                                                                                                                      SHA1:013CA259F551AD6F33DB53FFF0E121E74408E20E
                                                                                                                                                                                                                                      SHA-256:11058E8C2CD05F30DCF1775644BF19D2913C9A6D674C12F91D1896D95D9CC5C2
                                                                                                                                                                                                                                      SHA-512:9830BE3444225A4B2F9FA4AEDBC8AF4F45FDB2548F0B6A2EBA2A2A407EA3C7D8FD78C0E37FAC66CAFBDFAD781AE78B076D225FD5C836A451F57A54053CCEF9AD
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P.....k...k...k..>h...k..>o...k..>n.,.k.......k.d<j...k...j...k..9b...k..9....k.......k..9i...k.Rich..k.................PE..d...,a.g.........."....(.....B.................@.............................P.......U....`.................................................$I.......... ....p..........8)...@..L... )..T....................+..(....'..@............................................text...K........................... ..`.rdata..Nd.......f..................@..@.data........`.......B..............@....pdata.......p.......F..............@..@.rsrc... ............R..............@..@.reloc..L....@......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\host\fxr\8.0.11\hostfxr.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):350496
                                                                                                                                                                                                                                      Entropy (8bit):6.298534795731922
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:zoo0qOJezezqrPeYvCuV10J3keQRJysmFTHABK/o3BCLNzWNxEvf5NCnFeotrcRw:0o0qOqqYvCuV1jyFTuKA2zGxuIeotdt
                                                                                                                                                                                                                                      MD5:00F6FC45937B885439CC6C1A34DC96C1
                                                                                                                                                                                                                                      SHA1:5DF3EFD8A49B91E5AF676D35C02E75A640F4755F
                                                                                                                                                                                                                                      SHA-256:130A3656B07A317F859D542C0F11339F3D0BA4198169853781A3FC04ED64C907
                                                                                                                                                                                                                                      SHA-512:75F088C244271142C58A7CA8F42EE68B910332AC2A23C44F7E6F6C38FF2334F96B8F28EF312A79461F5C631B07110403523B67245BE8D3C7B6D0368913438085
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p..74i.d4i.d4i.d...e>i.d...e>i.d...egi.d=.td&i.dD..e1i.d4i.d.i.d'..e/i.d'..e5i.d'..d5i.d'..e5i.dRich4i.d........PE..d...+a.g.........." ...(.............8.......................................p............`A................................................L........P....... ...+...0.. )...`.......{..p....................}..(....y..@...............`............................text............................... ..`.rdata...L.......N..................@..@.data...H...........................@....pdata...+... ...,..................@..@.rsrc........P.......$..............@..@.reloc.......`.......*..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\.version

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):50
                                                                                                                                                                                                                                      Entropy (8bit):4.0704355005135815
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:325AWcQytHRNVQZQOhA:A8d9YhA
                                                                                                                                                                                                                                      MD5:4D9989D0E3454FEDFE945413784ED69F
                                                                                                                                                                                                                                      SHA1:8FCB584624E6CAF18B7687715BC36C7680453FA0
                                                                                                                                                                                                                                      SHA-256:439EAC83A94CC3C6B5A272A627396E879C7C449032B983A66EB904541A0C4F22
                                                                                                                                                                                                                                      SHA-512:38127E4F8C161F3C5ADA1800012F2D492753599AF40AA9E05563FF5DECAE54034D9EE7A334C219F704683E120593077D5DA510A9B3A0151A8246875B9A9876DD
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:9cb3b725e3ad2b57ddc9fb2dd48d2d170563a8f5..8.0.11..

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.CSharp.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1005840
                                                                                                                                                                                                                                      Entropy (8bit):6.7186531276890715
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24576:06dJq30vVE6z8LpeNY+9whtbShFtHVu9yHesCGDUD3I1i:FQ34VEYKaY++tbiHVu9yHFgrt
                                                                                                                                                                                                                                      MD5:9B2A6ABE569D6BFF344CF07D3DF523A3
                                                                                                                                                                                                                                      SHA1:2856F7F922F70A44132D02C0723EC2FA91E1FEDB
                                                                                                                                                                                                                                      SHA-256:099BC112DC645BC4A1FC453E3B4C1FC93A164BFAF69E84C85C2B6EFAC0F7FAAB
                                                                                                                                                                                                                                      SHA-512:B649400460CF236197ED168702707FB7E81FE4AA3D2542EDC07B1D3E1C520C6ECA54F77F7ABDB2DB297AEA0BC82E7A07ABF99A89CB958FEC138CDEE4FDEC5E79
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...[............." ..... ...................................................0............`...@......@............... ..................................d....*..TQ...0...)...........;..p...........................................................h...H............text............ .................. ..`.data........0.......0..............@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.DiaSymReader.Native.amd64.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2309152
                                                                                                                                                                                                                                      Entropy (8bit):6.414576855139372
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:49152:jH+fGgFyzuNiG6H0n8D1gkrz/OAyFAopdrq/c/:+GgFQq8DT/ZyFDN0c
                                                                                                                                                                                                                                      MD5:A71CD05C01F0FC603C0BD782516F806D
                                                                                                                                                                                                                                      SHA1:C15E261D5E7318875D324D28AB70A883CD434C81
                                                                                                                                                                                                                                      SHA-256:7F8DCF37D9D66EAE14C48A79FA2FCD447BD0F38A21BE0203A9C4A89398AACF28
                                                                                                                                                                                                                                      SHA-512:CE53F6DC1F02889ED6FB1F8DF226F9BADBB039F79505CDBD599A00A32B6617DA5E19F2AD7F76BB8134B3CCAD39FAB2209ED8EC6AE42CD30402C4E450FC19FA88
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Wq0...^...^...^.Xh]...^.Xh[..^.XhZ...^..]...^..Z.'.^.Xh_...^..._...^..[.m.^..W...^..^...^......^.......^..\...^.Rich..^.........................PE..d....ZY..........." ...(.....\...... 0........................................#......)$...`A.........................................Z!.p....[!.P....P#.......!..W....#. (...`#..>.....p.......................(....U..@...................0Y!.`....................text............................... ..`.rdata...Y.......Z..................@..@.data....a...p!......^!.............@....pdata...W....!..X...t!.............@..@.didat..p....@#.......".............@....rsrc........P#.......".............@..@.reloc...>...`#..@....".............@..B................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.NETCore.App.deps.json

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:JSON data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):28699
                                                                                                                                                                                                                                      Entropy (8bit):4.283179767103418
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:Q5YQAiYV696T6cCCvPvk29kBQTXvK/XgNJu8pLkRtQojki7JE5GMLQGGxeMCg0g+:Qdgmc2HAweAu+LwZXxa7c8nAeNIoEfAM
                                                                                                                                                                                                                                      MD5:B2CDCC03969704428D83706F823BD8C8
                                                                                                                                                                                                                                      SHA1:62031804C9A9482E45EF1C349CB1631154833126
                                                                                                                                                                                                                                      SHA-256:12F467B3C16265775872ED121223DE71FDB965518E037CDAE566421B4F499E56
                                                                                                                                                                                                                                      SHA-512:2936CE1EB9AF678933A3E3467E0C59BC06413649F026E63C49D51A2C1A7B3A7F7D3F1FEDA51DBDA728B7913EB6429E212971B9AED905CAC7BFF648C1DFEC1B6E
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:{.. "runtimeTarget": {.. "name": ".NETCoreApp,Version=v8.0/win-x64",.. "signature": "".. },.. "compilationOptions": {},.. "targets": {.. ".NETCoreApp,Version=v8.0": {},.. ".NETCoreApp,Version=v8.0/win-x64": {.. "Microsoft.NETCore.App.Runtime.win-x64/8.0.11": {.. "runtime": {.. "System.Private.CoreLib.dll": {.. "assemblyVersion": "8.0.0.0",.. "fileVersion": "8.0.1124.51707".. },.. "Microsoft.VisualBasic.dll": {.. "assemblyVersion": "10.0.0.0",.. "fileVersion": "8.0.1124.51707".. },.. "Microsoft.Win32.Primitives.dll": {.. "assemblyVersion": "8.0.0.0",.. "fileVersion": "8.0.1124.51707".. },.. "mscorlib.dll": {.. "assemblyVersion": "4.0.0.0",.. "fileVersion": "8.0.1124.51707".. },.. "netstandard.dll": {.. "assemblyVersion": "2.1.0.0",.. "fileVersion": "8.0.1124.51707"..

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.NETCore.App.runtimeconfig.json

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:JSON data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):53
                                                                                                                                                                                                                                      Entropy (8bit):4.039544162952557
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:3Hpn/hdNxDI/pAtSFFy:3Hp/hdNyhAM/y
                                                                                                                                                                                                                                      MD5:0828CC814843C0960554265CDA859EF5
                                                                                                                                                                                                                                      SHA1:0140385A9E76436A7F3FED45136462F3393B5CBA
                                                                                                                                                                                                                                      SHA-256:AC377253F9F7CF9D6127D684369DE36DA123D992CDC2E17950E3C8BF9688DF76
                                                                                                                                                                                                                                      SHA-512:22CBB29225F35CEA4329A08BE760420CAB6AB7EA85628436B7518759E09ACEE8F382D79C800E5C8F6BA647CA98B32A35A3A52CC1CB5B9CBD2E3B20FA314D839A
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:{.. "runtimeOptions": {.. "tfm": "net8.0".. }..}

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.VisualBasic.Core.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1247496
                                                                                                                                                                                                                                      Entropy (8bit):6.749340069071408
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24576:psvPzOPj/l89Sk2f+/eOUCxRepC3/Rk3isQFqULFL:psvPzOP7ymf+/TZq3id
                                                                                                                                                                                                                                      MD5:B3D3DA24C19B47259D6C23F753AFBD8A
                                                                                                                                                                                                                                      SHA1:923B52256967DCF9AE35406B803304CB97B5510C
                                                                                                                                                                                                                                      SHA-256:816DE66126C5EFA65483B583F6A320C284E47FC7030F8CBD7DBED745FEDCD656
                                                                                                                                                                                                                                      SHA-512:D959B6AFE6561084757F1E685167BFECCD94D44F41ADF98D8DF8AEED22296DC16C3484EFABF2EBBA7988825BE5772D51E1E179C91C8B52F024EFCDDAC77DFBEA
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Y............." ................................................................Gx....`...@......@............... ..........................................d_.......)...........>..p...............................................................H............text............................... ..`.data...............................@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.VisualBasic.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):17712
                                                                                                                                                                                                                                      Entropy (8bit):6.610099146248559
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:6ku3cV6HxWmH639QdWSdX6HRN72YMTR9zUMq:ruMV/oWDg9za
                                                                                                                                                                                                                                      MD5:3B3C142639335F9B615C0DE17BACB2D0
                                                                                                                                                                                                                                      SHA1:C599AA74C3D0916D6E0BAF0949C5A6894145C6F2
                                                                                                                                                                                                                                      SHA-256:BD36D4FD23D717FE88F2AFEB563EC6034D7FA482278156D99EF3CBF11EC2A5D5
                                                                                                                                                                                                                                      SHA-512:87A3D33BE2DD049D906EEA8266FA4EE4694A81E3EE07F8205CACACC75B141605DDA2D454905BA0196FE26B8C7E68F9F2469AF2AEB4DD92FFA4A65F4C026AEBEF
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J............." ..0.............B1... ...@....... ...................................`..................................0..O....@..................0)...`.......0..T............................................ ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................#1......H.......P ..4..................../......................................BSJB............v4.0.30319......l.......#~..,...t...#Strings............#US.........#GUID...........#Blob......................3................................K.....C.................................J.....~...........b...........G...........c.....................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.Win32.Primitives.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15624
                                                                                                                                                                                                                                      Entropy (8bit):6.833706261769825
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:eiBpXxu0xtWhPMpWfpWjA6Kr4PFHnhWgN7acWtNfKUSIX01k9z3AGxdUK9:eiLBPWhPMpWfYA6VFHRN7Gh2IR9zJn
                                                                                                                                                                                                                                      MD5:9B22CFB5BED886C6969E9C2BCA6AC35C
                                                                                                                                                                                                                                      SHA1:10136331C4C4C97581055C94AE57D96DAA050FC7
                                                                                                                                                                                                                                      SHA-256:150CE7473F17D708E846CCAFD9BEEAB9C341C28A130F6E37630ACAA622754A8B
                                                                                                                                                                                                                                      SHA-512:E0C31B87191F833492149D9E17FB0CEB6FE15E0E053FD5959223835719F727B9524D6FA4E33EA167FF26CD912096AA455F0E6EA16BD377722D7BF9F2400B760F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<.|..........."!..0..............)... ........@.. ..............................=.....`..................................)..V....@...................)...`.......(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ......................................$.....,X.k..C..9.......q..C.m...:...Qr.......Ia.Gz..@.|.s.ERw+.Y..wUD...Ks=S..2>D].o7.Qc.-.w.N.5.._.X...p.|..$...2.KHs....BSJB............v4.0.30319......`.......#~..(.......#Strings............#GUID... .......#Blob......................3................................................"...........;.l.........f.....!.E.....E.....>.................E...[.E.....E.....E.....E...B.E...O.E...v.............

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.Win32.Registry.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):121128
                                                                                                                                                                                                                                      Entropy (8bit):6.1482993626679106
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:hR1cNXwrxM7wECif70JSvEVcULVi+Ril1dPC:iNIcFC270JSvEVzvC1
                                                                                                                                                                                                                                      MD5:C2DC11B82A094AFCE0E4810E4FA50723
                                                                                                                                                                                                                                      SHA1:769A8C969BB7EC7CA893C1939D2500BB367CF565
                                                                                                                                                                                                                                      SHA-256:19EAB1189558EFEFB90F34B012B8182DFD3C707463F5E0D4F5C0D810156A5ED8
                                                                                                                                                                                                                                      SHA-512:0083FFF0E424FF80B3F8A632F139AD267A14D1419ABD1B68BAF1FC84BD2E5739E805ADF10EC79D7FA325BAC553CF7F0D84C846425638292C550CA3957AF46DAB
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....p...0......................................................5.....`...@......@............... .......................................4..........()..........8...p...............................................................H............text...[h.......p.................. ..`.data...a........ ..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.AppContext.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15664
                                                                                                                                                                                                                                      Entropy (8bit):6.754633849646731
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:FYjgxACvaW+S7WFlWxNzx95jmHnhWgN7aIW+/yaYHnsTX01k9z3A1dcdL:Fk+NaW+S7WFGX6HRN7BnYMTR9zUdAL
                                                                                                                                                                                                                                      MD5:CA56A8F20FBC0DC300136A7F52CE5448
                                                                                                                                                                                                                                      SHA1:3BC48E9E7EBFFCBDE4A0018ABEE27077AA22C90B
                                                                                                                                                                                                                                      SHA-256:1EE0C49348E8F269D65096B2A749E81E06ABED0796BE768D5383F174B3EBED61
                                                                                                                                                                                                                                      SHA-512:2EC0A88FE112AC840DFBC7992028B85FF216AFF944483F1FC518A5E5E3822A6E7A2E7995E22464A07E3089680664D87124A1F1B1C3036C0F19B643FDF16F5D50
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............(... ...@....... ..............................w'....`..................................(..O....@..h...............0)...`.......'..T............................................ ............... ..H............text........ ...................... ..`.rsrc...h....@......................@..@.reloc.......`......................@..B.................(......H.......P ......................('......................................BSJB............v4.0.30319......l.......#~......<...#Strings....H.......#US.L.......#GUID...\...|...#Blob......................3......................................................x.....3...........^.................I....._.................w.................G...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Buffers.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15656
                                                                                                                                                                                                                                      Entropy (8bit):6.745504174553825
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:/XlE3V0WYZ2Wh8pWjA6Kr4PFHnhWgN7aIWH9qLrRGhFKeX01k9z3AB+Bf5e:99WYZ2WCYA6VFHRN7Cu0R9zI+1
                                                                                                                                                                                                                                      MD5:CAA67B5CB207447441AF97F77A8D28EE
                                                                                                                                                                                                                                      SHA1:00321E60DB8F53DAAB0AF1D86F090B6B77CA2F0B
                                                                                                                                                                                                                                      SHA-256:49BD03FF5EF094D48ACE745D8F5C81077D28551CCA08B16D4C4DFAFAA352E43A
                                                                                                                                                                                                                                      SHA-512:4F886B2E093397A857F69B1635BF3B6ABDD181D17FF21F19AD99916894A684AA35D834FDD03EFEF846AEA6BC99E42D4FBAA7E50EF2400CB818A301A285841B8E
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F7..........." ..0..............(... ...@....... ....................................`..................................(..O....@..X...............()...`.......'..T............................................ ............... ..H............text........ ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B.................(......H.......P ......................,'......................................BSJB............v4.0.30319......l.......#~......@...#Strings....L.......#US.P.......#GUID...`...|...#Blob......................3............................................................?.....!.....j.....%...........U.....k.....:.......................!.....S...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Collections.Concurrent.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):276744
                                                                                                                                                                                                                                      Entropy (8bit):6.728786186995529
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:3PA2HHj4tByYOTblcFe4khyO2bIykwXLbn:3I2Hj4tBypHfhD2bIrEXn
                                                                                                                                                                                                                                      MD5:B9B20837FC21F3B6C7DC96118F58A584
                                                                                                                                                                                                                                      SHA1:A1E60495DA508FACB76031996ABCA51306078142
                                                                                                                                                                                                                                      SHA-256:4CC75A63FED0A6388C95628EFBEA788408E4167595D8F3980BCD2BEB9B439541
                                                                                                                                                                                                                                      SHA-512:720FC092603432E3640C9B4C71C969403D2BF400E1C2F7EF1F0C46D85E8A31147113C0A191A1A3180D9FE26337C3E1D0F6BA38505BC8146156A88841F8FFBECF
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....(..........." .........P.......................................................#....`...@......@............... ...................................... n...........)..............p...............................................................H............text.............................. ..`.data...h=.......@..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Collections.Immutable.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):837928
                                                                                                                                                                                                                                      Entropy (8bit):6.723068549493689
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:arJR+uRoPwKMeN8/98vTU4dQEE3k0T9YLVgHr4iuGvNgllggskj:m+u68abw+CMiz2llas
                                                                                                                                                                                                                                      MD5:B55D4397AF5909E22B8B50E6D6E35385
                                                                                                                                                                                                                                      SHA1:0335B1040CC5339FFAA7833842FDCB1424A19B30
                                                                                                                                                                                                                                      SHA-256:6446E921CF1D5E9B7E9CCE08E1061206129A1D29407B59FF48CBB44ADDBC082A
                                                                                                                                                                                                                                      SHA-512:5A2B196A715BD4334F8A35A61E09C5EA620B710185B18A6DC93E7496367FCA292F3492663C0AC5739BDEB3090E472543F50729C3394FF7B133AB582FCB9E8270
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...1Y............" .....@...P............................................................`...@......@............... ..........................................Hr......()..........( ..p...............................................................H............text...P0.......@.................. ..`.data...L$...P...0...P..............@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Collections.NonGeneric.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):104752
                                                                                                                                                                                                                                      Entropy (8bit):5.951214543616432
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:XHs0tJVDX9LOIbwNC5IQ7XVrMZqz9AOWSUdbWKvzd8:XM0dzNOIc+IQLGZqzKOOZR8
                                                                                                                                                                                                                                      MD5:D8E1F2706EDBBB0D5283E866FD6B5A68
                                                                                                                                                                                                                                      SHA1:5893B4B685A2172D37DF5519AD00F02B5132DB50
                                                                                                                                                                                                                                      SHA-256:891A7B6BAA99B3A98D33947E69CB35F415BF735D9515DA628D6624BD64595BBE
                                                                                                                                                                                                                                      SHA-512:82F5FCA1138885BF890EA262B7B453E05C76095A7C80F66D2F90CAC91B374153A7E53B4F0C215B389BDAFF63F91DC52912382960E24C646429E12908AB2FECA5
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...c............." .....0...0...............................................p............`...@......@............... ......................................H0.......p..0)...`..........p...............................................................H............text...:+.......0.................. ..`.data........@... ...@..............@....reloc.......`.......`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Collections.Specialized.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):104760
                                                                                                                                                                                                                                      Entropy (8bit):6.023688556329198
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:/AKdRfAUP9WSJLeI620hCYCARk4YIAO8xocgO50/d0VIOXWShzpS:/AKfASpeJDPAOSocgOa/OBXhhE
                                                                                                                                                                                                                                      MD5:408636AD69D82964450D11E2BC2B063E
                                                                                                                                                                                                                                      SHA1:C6701A74D0993B7E8242DC45C73C47CF38A8CF1C
                                                                                                                                                                                                                                      SHA-256:B2EABD2CC9923818F6D1BDFB3E9CFE02A54D6327DCC4AECCF61F895E0E02E67A
                                                                                                                                                                                                                                      SHA-512:FC252CB0E6B778E410856C1D8B2E00A925C8C6A31E8622687D56D641DC54DAD004507AF4A23406448D1410CB618F7689704E0D504B55A68BA2BD6BD05E8254A5
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....<..........." .....0...0...............................................p.......y....`...@......@............... ......................................x1.......p..8)...`......@...p...............................................................H............text...1).......0.................. ..`.data........@... ...@..............@....reloc.......`.......`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Collections.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):260400
                                                                                                                                                                                                                                      Entropy (8bit):6.618537900857936
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:unxoXLUDXDiKNYX8qTKfAyryS1rIgD3lgT:mxCUDXDiQ+jTURrhFLlY
                                                                                                                                                                                                                                      MD5:F79C5255B5A8113246917AE7681E4A24
                                                                                                                                                                                                                                      SHA1:CC1B9BED6269BB109657A3BBEC56F54C31444B0E
                                                                                                                                                                                                                                      SHA-256:5B20181EE4E188AA6B328C107FEE9506E63EFE3A4F9D2C3517EF2972B6AA1211
                                                                                                                                                                                                                                      SHA-512:731AB48B1913FC9BA4F8D25EB497EF860796FFCA7364AC91D18BE2DCB243CDA6BAE0BD141CD6B8CB77C940253FE642BD44D85999003DD5701BE9242A6BDAB5BB
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....;..........." .....p...P......................................................7.....`...@......@............... ..................................t....[..8.......0)..............p...........................................................x...H............text....g.......p.................. ..`.data....>.......@..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.Annotations.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):203048
                                                                                                                                                                                                                                      Entropy (8bit):6.207009954800782
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:Fyzc/yxHdJdq+4dCLLe6Yfn33wmMWQArD5/oE5bF6fLUV/Yqp:omyx9env3wzWQArcUV/Yy
                                                                                                                                                                                                                                      MD5:60AC5526E44A9F031F87CD84CEC7140F
                                                                                                                                                                                                                                      SHA1:4DFF306D8D13C393EB5924BACF4788397FE29B03
                                                                                                                                                                                                                                      SHA-256:7ABBB89A3B170A9DB8894B7B6E24A6CE99340F6938E1B78A1DE0A941B8B5BB61
                                                                                                                                                                                                                                      SHA-512:18F1B98E350D32DB9269CCB8B650D9E433BC18CE5CBC69B37082E182B3793900616D60814215FE6C5B39C2811A5A9153B6D0BCFD8BB00DA499AB8CA76410CB78
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...er............" .........P............................................................`...@......@............... ......................................8I..p.......()......L....!..p...............................................................H............text............................... ..`.data...M9.......@..................@....reloc..L...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.DataAnnotations.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):17176
                                                                                                                                                                                                                                      Entropy (8bit):6.675054821557407
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:BjpmblJeIeGXxlkGl0Wu+XWEtX6HRN7klMR9zPyjO:BLc/Wk69zKjO
                                                                                                                                                                                                                                      MD5:F8ADC8C164B2D4E9D87DCABCBDA95B44
                                                                                                                                                                                                                                      SHA1:2D78A2C285FD096612530ED90BF7FBA8A2AE1392
                                                                                                                                                                                                                                      SHA-256:E49B3F50FDB62357C70C944EF84DBCDE9DA86D2833882EA08AC28B1D3DA0EBBB
                                                                                                                                                                                                                                      SHA-512:254E544BE19F32F0DF65627F80EF5D456B52FE38DCA7F1B498839649318CC6A60EC0B81984548BBB20A39753EC4904EC74AD057D2DE2D128CAB81E1FE5444143
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a.g..........." ..0.................. ...@....... ..............................1.....`.....................................O....@...................)...`.......-..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B........................H.......P ...................... -......................................BSJB............v4.0.30319......l.......#~..l.......#Strings....,.......#US.0.......#GUID...@.......#Blob......................3................................+.....S...........................3.......9...O.............}.........}...........$.....A.....d.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.EventBasedAsync.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):47368
                                                                                                                                                                                                                                      Entropy (8bit):5.343354931264753
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:fWvPwWlrTB3PadWBj/Dqhzq1c8dgfL9ikyr46JXfCvDXxO88+aEZ4jIwVPBvAN4x:MflmYlkB9n88IVJg86FClUU9zwa
                                                                                                                                                                                                                                      MD5:8118646098B1A4570BB29A5D867A1983
                                                                                                                                                                                                                                      SHA1:58787C4A3E3285BA9C7E7B7574C552467FD96F6F
                                                                                                                                                                                                                                      SHA-256:6C2BA61732037024199D6CB5841E41A51370399ED8E9402D20D378C4C79DCCDC
                                                                                                                                                                                                                                      SHA-512:2CA167E4AA6DEC9B3C811F22DE33FF92DDA58E170EBD322DE54D1725AB6A47403DA7D595A18BE7F72DB2C28C03E620F2505992B29E32BA731E5E442AEE9DF023
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...AM............" .....`... .......................................................$....`...@......@............... ...................................................)..............p...............................................................H............text....W.......`.................. ..`.data........p.......p..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.Primitives.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):80136
                                                                                                                                                                                                                                      Entropy (8bit):5.846320393478092
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:MI5/UZMu4Thd+Cv8A/oqevD2olsmIbktDinxze:Mr4X+S85qKD2ommIiOK
                                                                                                                                                                                                                                      MD5:BC478FC2764A94C56E69E9E38A51452A
                                                                                                                                                                                                                                      SHA1:1C199BF6064992A5A81472B091A01F45B4442889
                                                                                                                                                                                                                                      SHA-256:304635DBC025B5C3BFF78DF48C19980E9B52C632A7D3C145B61288F546293BF7
                                                                                                                                                                                                                                      SHA-512:AE81A6CE5E66CDDE1B074474459DB6081C627B8B38E0F959EBCDEE02AE935BB022E66F39A4451989AA59E3EBB15CE3052CC23DDEE4C9DB5E6649D33EAEE484B6
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....N............" ......... ....................................................../l....`...@......@............... ......................................<&..X........)..........x...p...............................................................H............text............................... ..`.data...............................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.TypeConverter.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):747824
                                                                                                                                                                                                                                      Entropy (8bit):6.643641560609559
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:8tbWtrTblAqmrIofhCXvdb+/ipZ76GaEFBiXMSuD7QLohk+xLRxw5:81WtrFlmrNfhCXvdb+/ipeEFBiEDMSk1
                                                                                                                                                                                                                                      MD5:DB6BCFE78A5A8BA98D4042A2567933F2
                                                                                                                                                                                                                                      SHA1:463D999211CCE7B669437DF3935BE627DCDE8E7B
                                                                                                                                                                                                                                      SHA-256:CD7E2EF84253D24807DD61EF644F5AD8042656340DD02830E3F22E6A7EAB8D06
                                                                                                                                                                                                                                      SHA-512:FD099BFB3C1328602458C6F2C4F7C9FD470CBB0ED78CEADBE70F92E4860701AF956504A4C18443DCCBA63A819D764F1FD3CD3E82A21214FC5189EE2BD0D1C8A5
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....s..........." .....P...................................................@.......&....`...@......@............... ......................................p....X...@..0)...0......x<..p...............................................................H............text...L@.......P.................. ..`.data........`.......`..............@....reloc.......0.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ComponentModel.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):30984
                                                                                                                                                                                                                                      Entropy (8bit):4.326509735182786
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:+W4I1Wzqib+d0PMpYA6VFHRN7UYJ2R9zU3:XF5FClhK9z6
                                                                                                                                                                                                                                      MD5:040F8D89AA869EBAE8DD21141ED326B0
                                                                                                                                                                                                                                      SHA1:DD4B5B58DFE497F76F61891B8E62695310262896
                                                                                                                                                                                                                                      SHA-256:0BF9E3E6C8327B7DB4372F27507A71BF0EF06B22F042BBACF4A860F0922BE1FE
                                                                                                                                                                                                                                      SHA-512:6AD73EBE3CB5FE756D5BBACDF6BA09D490D619A1067DC2B6945871F6B7EE5C8901C45B491A26B23E74B8911F396F61EA9A88DE4B2F6BACD1CBF9E20496EF527A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....X............" ..... ... ...............................................P......)+....`...@......@............... ..........................................0....P...)...@......8...p...............................................................H............text...1........ .................. ..`.data........0.......0..............@....reloc.......@.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Configuration.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):19760
                                                                                                                                                                                                                                      Entropy (8bit):6.50388265626174
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:TMXTSv/fUNRvGZYdf3zyP/weP+YHTWvANWxRX6HRN7h9bt5R9zExRK:qQPVKWjx9zsK
                                                                                                                                                                                                                                      MD5:96C347B57AAA9AB1CFA8365585E9C9A1
                                                                                                                                                                                                                                      SHA1:17B2B2F1019CC93ED1AEF0BE445CB1053C01341B
                                                                                                                                                                                                                                      SHA-256:19C65DDFD1C484306C928BB8AE838215F7A689E757326791E50FD3C488CD1284
                                                                                                                                                                                                                                      SHA-512:EC1DC25698B055F2C72A435F7C62B93635959A09C142D8908C2B03CEDF45B2E138A27DD227F4CAFA701897B8A305071346056DFE9017A1E0229C6A640B36660A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=#............" ..0.............v8... ...@....... ....................................`.................................!8..O....@...............$..0)...`......87..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................U8......H.......P ..h....................6......................................BSJB............v4.0.30319......l...h...#~..........#Strings............#US.........#GUID...........#Blob......................3................................h.................2...%.2.........R.......b.....U.....U.....,.....U.....U.....U.....U...3.U.....U.....U.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.C...+.Y...3.o...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Console.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):174376
                                                                                                                                                                                                                                      Entropy (8bit):6.280397830530098
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:zqPlmXCzdfd6+Vfz5mDVV9evshARZvgL4OUgZjZXR1BB1GlKi7:uPoXifd6qwV9eEh2ZvgmQ9bB2KG
                                                                                                                                                                                                                                      MD5:E58A5726978B1DFD94B6B4CB38102340
                                                                                                                                                                                                                                      SHA1:D1A561662830FD01351341CA862BB93191095338
                                                                                                                                                                                                                                      SHA-256:8469DEB8C7D532E8857F5C68DEB291035103DEE3698BF5005F4E08C5BD05775A
                                                                                                                                                                                                                                      SHA-512:2D7B698720D7AB2E8535A68AFA3ABA41D39A888D05E59454CB7E35EE04E9E3CAEF52EA9BE46BCD8E28C7EF4E4098F168D7D0580347A9F980893198995301A388
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..._.>..........." .....0...@......................................................c.....`...@......@............... ..................................T....<..........()...p......`...p...........................................................X...H............text...}!.......0.................. ..`.data...."...@...0...@..............@....reloc.......p.......p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Core.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):23848
                                                                                                                                                                                                                                      Entropy (8bit):6.307580885714362
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:/S9H4Ay0l9Jr3OzFPhoact/iKMePLexkrW1rU1ZXt5zElfWXJ2WoYA6VFHRN7kxJ:K9H4Ay0l9Jr34FPhoact/iKMePLAxivR
                                                                                                                                                                                                                                      MD5:85A20E6FF4565669D120A52C00B12775
                                                                                                                                                                                                                                      SHA1:4C648D4161C9FD6C7FAABCDE1ED7F45A68E98A50
                                                                                                                                                                                                                                      SHA-256:CC23F980E20FCED097A234AEB379D9C9C1F5235B93126709199815E96D8F2217
                                                                                                                                                                                                                                      SHA-512:96DCADABD7A73584BB58459404ECD011F088AFE6BF92E413BBE69F9EC329B651415405838100513358DBF09A3EDEC23792A6C54C9BDDFDBE74870BCF74421180
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..*...........H... ...`....... ....................................`.................................wH..O....`..8............4..()...........G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...8....`.......,..............@..@.reloc...............2..............@..B.................H......H.......P ...&.................. G......................................BSJB............v4.0.30319......l...<...#~..........#Strings.....$......#US..$......#GUID....$......#Blob......................3......................................................i.......G...........................:.n...J.t.....t...P.................C.....`...............................................).....1.....9.....A.....Q... .Y.....a.....i.....q.....y.....................I.....R.....q...#.z...+.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Data.Common.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2861368
                                                                                                                                                                                                                                      Entropy (8bit):6.795825527603884
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:49152:9flMLj5HODx+ncGZUG3k+mywJOHPxIyiNgnssolXWMW03Rz7F5hBh0TX1G:lOCOZIunssolXWMW03Rz7+Tw
                                                                                                                                                                                                                                      MD5:38154C0B1654E7B38878A8D20A804979
                                                                                                                                                                                                                                      SHA1:EAE6B02D412B61A64E9FE87B62B77B0A940CC899
                                                                                                                                                                                                                                      SHA-256:85614A082FDB244379E34EDEA86AE8B7DAA71EFB61E52868675E5DA7685FB72F
                                                                                                                                                                                                                                      SHA-512:1E487C6AF8DEF70C168B86843113BE3B0DF15CD978C68FBDC65A0F371276428731241EF315C192E85BE27234CFA6EB1072E48778C36B8845C8DA86E9614CAA73
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...h.w..........." .....@)..0................................................+.......,...`...@......@............... ..................................t.............+.8)...P+..-......p...........................................................x...H............text....8)......@)................. ..`.data........P)......P).............@....reloc...-...P+..0...P+.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Data.DataSetExtensions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16184
                                                                                                                                                                                                                                      Entropy (8bit):6.666464376103628
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:gmoHF/wAisWaS7W5hWxNzx95jmHnhWgN7a0WO8flXefqg7i1X01k9z3Axpzu8:HoVWaS7W5KX6HRN7QYR7i1R9zORu8
                                                                                                                                                                                                                                      MD5:9783A0CCD5A64883445821E1F071076F
                                                                                                                                                                                                                                      SHA1:C710BFBB818BF9F27F123F07E90DE7DC98C9F6D8
                                                                                                                                                                                                                                      SHA-256:55E5BD120160DDD157A2F11C8D8F9AD99972BAF1FA78C37647B0A34F268AC0DC
                                                                                                                                                                                                                                      SHA-512:23052276DD8F811D240A277FE3C7C77743FAEADC54548E4EE712D5AC4DB7921988406E66B9CEA24A0AF1D73A4D31AFA14E2ED81E87C1F874EFC36C7DF4FDE785
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[@..........." ..0..............*... ...@....... ....................................`..................................)..O....@..................8)...`.......(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................8(......................................BSJB............v4.0.30319......l...0...#~......@...#Strings............#US.........#GUID...........#Blob......................3................................................E.............|...............i.)...'.).....".....)...~.).....).....).....)...e.).....).....E...........v.....v.....v...).v...1.v...9.v...A.v...I.v...Q.v...Y.v...a.v...i.v...q.v...y.v.......:.....C.....b...#.k...+.....+.....3.....;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Data.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):25384
                                                                                                                                                                                                                                      Entropy (8bit):6.290197216885165
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:DWAAaFiTCmM82SuxDJQqMWioFWNwYA6VFHRN7IYMTR9zUQ5:CpaFiTCm0DJQsywFClVg9zR5
                                                                                                                                                                                                                                      MD5:7AA4CC0823A68484980CCB05380826C4
                                                                                                                                                                                                                                      SHA1:7A74462318DDB1B472CA7DD9BB30B05AF2C38CB4
                                                                                                                                                                                                                                      SHA-256:04C204B1FC3B287A1C236AE14A6B397FB32BAB493FCEA64EBA78C8BB234FA37B
                                                                                                                                                                                                                                      SHA-512:D7A58F21889D0CBE1AF6BDF1F009D00EA66B79512F05613EE429964CE6C789FACA1B5CEF6DDFB463D607C498A7BE671601DDC18474124E2A184049222F543C9A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....w,..........." ..0..0...........O... ...`....... ...............................q....`..................................O..O....`..8............:..()...........N..T............................................ ............... ..H............text..../... ...0.................. ..`.rsrc...8....`.......2..............@..@.reloc...............8..............@..B.................O......H.......P ...-..................LN......................................BSJB............v4.0.30319......l...T...#~...... ...#Strings.....+......#US..+......#GUID....+......#Blob......................3................................<.....H.........~.......................).r.........;.................Y.......................B....._...................#...........................).....1.....9.....A.....Q... .Y.....a.....i.....q.....y.....................R.....[.....z...#.....+.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.Contracts.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16664
                                                                                                                                                                                                                                      Entropy (8bit):6.674104191430389
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:meVamI4NZKxZ88W6Z2WIW1AWxNzx95jmHnhWgN7acWnFx6RMySX01k9z3AcyFaZr:DVae+y8W6Z2WVRX6HRN7SuMR9zPyoa0
                                                                                                                                                                                                                                      MD5:53A5965A6A8EA3D8EC5FA56EB53A88A4
                                                                                                                                                                                                                                      SHA1:669AF6E47FFE94CC600E21A4EB052C05F65BFF01
                                                                                                                                                                                                                                      SHA-256:F8179EF7837F7BF555720B9FA8C49243365794C28D2F7381E612BFC548681DF7
                                                                                                                                                                                                                                      SHA-512:BBA0CE25676F1B97E4442EEF0FF0410E67DAA780AD18FFBEB61462ECB6846AA82C3AD5806656A4048111807096BF359951E2D628EF77D5923ABCEE57FC855156
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............+... ........@.. ....................................`..................................+..N....@...................)...`.......*..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P ......................................=......mO9Y.F.&w.(6....?.8.EG..;.J..B.j-........<Z>R._......d|Y...!.tv.k.|;mV..b.^2.<...p........4.......2.\x?.LJ]f.l.&?....BSJB............v4.0.30319......`.......#~......H...#Strings....4.......#GUID...D.......#Blob......................3......................................Z.........9.........................,...5.............{.........F.............................#.....p.........................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.Debug.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16176
                                                                                                                                                                                                                                      Entropy (8bit):6.74420130921519
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:jXfMxA3wKbW25mWHWWxNzx95jmHnhWgN7aIWN4uvpGX01k9z3Af/8ROnkxh:jCIW25mWHdX6HRN7yxpGR9zqCOSh
                                                                                                                                                                                                                                      MD5:200A2EF8039A866C29F6646C08C916A0
                                                                                                                                                                                                                                      SHA1:D9AFB3DCF376FDF153D5B0F1AE6167660DFB1FEB
                                                                                                                                                                                                                                      SHA-256:F587E4D5F4347D8851FE63FD165FF3AF6F0A0D7EDB22DC9EC13878CC5342AB2B
                                                                                                                                                                                                                                      SHA-512:51BEB0733A184397ED605D483D0EF47F7A6B6DA05666DB5175CBDB8CDEFB90E4D6BFDB0C59E118796E9851108D590F2EADF3CF07944424C05276BD9F8A64E25C
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....+............" ..0..............*... ...@....... ..............................+.....`..................................*..O....@..................0)...`.......)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ......................$)......................................BSJB............v4.0.30319......l...H...#~..........#Strings....<.......#US.@.......#GUID...P.......#Blob......................3..................................................W...R.W...g.D...w...........0.....w.......................>...........................................>.....>.....>...).>...1.>...9.>...A.>...I.>...Q.>...Y.>...a.>...i.>...q.>...y.>.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):416056
                                                                                                                                                                                                                                      Entropy (8bit):6.650016678777876
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:bsuTEcoc/FGNasNt2l4ru2jKw6xtQ7/tvjETqCZ03EdZbj4MKpW:QuTf/FGcsNtM4q2jStgjTy4MD
                                                                                                                                                                                                                                      MD5:ADD4BC84418AEC1011BB4AD7EDF12B00
                                                                                                                                                                                                                                      SHA1:A1D54AA744C20733AAAD9CA4F219B05FA8245981
                                                                                                                                                                                                                                      SHA-256:9444173233A16F1C5508DDBCA2DC674DCFCFF91DAE321CBC8AC3A01527A6688B
                                                                                                                                                                                                                                      SHA-512:5A0FC3CF99BE67F49870DA7E487BA880F3624A441548EE76557C355FAC369831DFAB833C8718C986F89B4A77AA7065C9CEEFC95A40794AE1818FBFBC967FA807
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........................................................0......S/....`...@......@............... ...........................................)...0..8)... ...... )..p...............................................................H............text............................... ..`.data...............................@....reloc....... ....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.FileVersionInfo.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):47384
                                                                                                                                                                                                                                      Entropy (8bit):5.386361519950313
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:7ky9wsP/QEBuk3bqUghj9zk6KPivxbzY17tFAX+0foWIl9zApn:7ky9wsP/QEBuk3bqUghjVXKPipb017tc
                                                                                                                                                                                                                                      MD5:CC68F9E56A287662C705302068EF4994
                                                                                                                                                                                                                                      SHA1:DB038C3BC9434359367D4AA7801C605D2D61CFCF
                                                                                                                                                                                                                                      SHA-256:AB5638A08516771F08F7CCA49D9C43FB90E5937CB1D6F03C307A5EBFAAAB5BD4
                                                                                                                                                                                                                                      SHA-512:1609A29259407CD37627B9786897206FCC229DF4955317CD60AC71A9AF175BE866AF456B08C76401CE2083D67E837E37D5AF7B24F61ABB392D2DE44CB71CED23
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....^..........." .....`... ......................................................S3....`...@......@............... ...................................................)......H...h...p...............................................................H............text....X.......`.................. ..`.data........p.......p..............@....reloc..H...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.Process.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):338216
                                                                                                                                                                                                                                      Entropy (8bit):6.547091859291254
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:PZkDfqaP75HL9eEIdanhOe9jb3b41PlmFFVZTdiX2JD:P2DfqweDdSo8D
                                                                                                                                                                                                                                      MD5:634FEF75870C6C036FB4132A4E4D5B63
                                                                                                                                                                                                                                      SHA1:9020E99507A27D3009B5914F0E73C91F39C1AA1E
                                                                                                                                                                                                                                      SHA-256:7BBCA593ED7F5B8F8650ECD5E597190D7D55BC4B1B9D8A992C7A1F887E65DCC2
                                                                                                                                                                                                                                      SHA-512:03B92B87E25344F425AB05475845B14BD8B320E8C09E5B55D94F8FD284097F5226A99720988DDCAE025B92C60847F04AD60D74C0E4E90BAD380EB0A5390251DC
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........p............................................................`...@......@............... .......................................w..."......()...........%..p...............................................................H............text...+s.......................... ..`.data....S.......`..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.StackTrace.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):47416
                                                                                                                                                                                                                                      Entropy (8bit):5.395594314778358
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:dc6qXYiTR+DUnWzE8vk6Y4mPFWg0WhQ9zK6:d0XYiTYDUnW/c/4mAg0WmzK6
                                                                                                                                                                                                                                      MD5:48E2A256B5D7FC2BB74B5046AF715072
                                                                                                                                                                                                                                      SHA1:EC1854323EDB9C462A2A967C1C06759C3261CCFD
                                                                                                                                                                                                                                      SHA-256:2911FCAD2139490432F3FA96FFB3A50A90E06F84C60E45DF60E6DEB4126B16B9
                                                                                                                                                                                                                                      SHA-512:2D0196C98EAA40759ACCD38C5410F482CFBFC83B79CDC629E0297A3B590B1FDD3FB77299F38A1F1414DBBB71475C6CEF744BB2FD7D695E9D3177BF7817F80C68
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Y............" .....`... ............................................................`...@......@............... ..........................................8.......8)..............p...............................................................H............text....V.......`.................. ..`.data........p.......p..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.TextWriterTraceListener.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):67896
                                                                                                                                                                                                                                      Entropy (8bit):6.071077935827304
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:CFtHMfPA85VU9QbAoqxfxGSC0e+LRnugRxFjyGw3/slSdoF31s7YiNL2OSkkkUPM:2GQ4EoLmpzFYU4WCzj9
                                                                                                                                                                                                                                      MD5:7AEC30A9E458C5C0025FBFA3A940B791
                                                                                                                                                                                                                                      SHA1:E7AED5DDD43AC6D7EF1D474229EDC9FEDFBF1DF6
                                                                                                                                                                                                                                      SHA-256:1A1CB8D5807BF6EF60EE749AF2A7D485A581FC7C03CED44E947E08699566B2AD
                                                                                                                                                                                                                                      SHA-512:0D18CA8444DF6C74CCFD74344B59F6B965783592AA4E674478ADDD5ABACF0518C4C0060BB07E7471BF550A909F50E8DC6B6C779922E58EB870FBCF2E0F298757
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...B............." ......... ......................................................O.....`...@......@............... ..................................4...<(..........8)......0.......p...........................................................8...H............text............................... ..`.data...............................@....reloc..0...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.Tools.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15664
                                                                                                                                                                                                                                      Entropy (8bit):6.8080160066573665
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:PAmShxA/HmWQzUWUdWxNzx95jmHnhWgN7aIW5Y3YHnsTX01k9z3A1GUST:PlexWQzUWUeX6HRN7GgYMTR9zUDST
                                                                                                                                                                                                                                      MD5:6D8E075425E16A234FC8F5463C11BEB0
                                                                                                                                                                                                                                      SHA1:97D419FD390DFBF214FB7CFCA029A3458554F55E
                                                                                                                                                                                                                                      SHA-256:383907734CD3DD76969A359423AEF226CA131AD085FEFDE4943F9B6BB9B28102
                                                                                                                                                                                                                                      SHA-512:45B57EC21B8E618E83E0B0B790A6C5964054D50C3DB8D88A7B564201BD693746C555A0203C50F7DEBB6888222A0BE8307598C6451AA1FDF254E48D1CF5A1A795
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............)... ...@....... ....................................`.................................Q)..O....@..................0)...`......`(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..(.......#Strings............#US.........#GUID...........#Blob......................3................................................F.h.....h.....U.................%...(.%...........%.....%.....%.....%.....%...f.%.....%.................O.....O.....O...).O...1.O...9.O...A.O...I.O...Q.O...Y.O...a.O...i.O...q.O...y.O.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.TraceSource.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):145712
                                                                                                                                                                                                                                      Entropy (8bit):6.215648320789539
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:gHiUYBgRTeY0dpwQn60x7cftbgZ7eInKT5DFN3+M9:tBgcY6aQn60x7cftbgUHl7z9
                                                                                                                                                                                                                                      MD5:E65ABBCA33F2ACA899D9F5106D6C4CE6
                                                                                                                                                                                                                                      SHA1:27E9980354458C7EE097F752874C1F6D95EA66A9
                                                                                                                                                                                                                                      SHA-256:CC685536EB2061DD6CAF225E353334AA9179AFAEEC105836CBE3B84B88E3BF1A
                                                                                                                                                                                                                                      SHA-512:C7614E260036828F863764FE41920DCB46055928DD5274628C317C3997C95161D131A02358ADC1B7E3E25928AC24434FCFCF49DE5A6DDE5C5A3FB2B947265F95
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...-Z............" .........0......................................................J.....`...@......@............... .......................................B..........0)......|.......p...............................................................H............text...g........................... ..`.data............ ..................@....reloc..|...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Diagnostics.Tracing.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16680
                                                                                                                                                                                                                                      Entropy (8bit):6.732264017448511
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:QJ+yQNWbKDWdQYA6VFHRN7XblAcGkELRPR9zjOZP:7DVFClruyQ9zKl
                                                                                                                                                                                                                                      MD5:3DE56E93F4E1D8D189EEB58D935D39B6
                                                                                                                                                                                                                                      SHA1:1534FDD929DF529AB29EA4DBD1E9E9D3EC51C949
                                                                                                                                                                                                                                      SHA-256:07990D092B8200A012C83B871324F18AC8C42D335EDFD570A1D6A695D55E43E7
                                                                                                                                                                                                                                      SHA-512:893F5F8D72AB2F0C48E33C7A38864380571D57E162A371B2B4E4ED879CFC37F220117860C7DA324EC5BF57F683B70A78D3BCDE010ED67A7AAAB553D5C9AC4C6A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#X9..........."!..0.............n-... ........@.. ...............................G....`..................................-..V....@..................()...`.......,..T............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P-......H........ ..L...................P ......................................../e5.)5a..7.......C....V...D1.<t..I.@.......@K..T.H...._.F|..;9.j..TIKLL.tV...=.R?....../{..X....J?....i.M.d..]....w.(.I^BSJB............v4.0.30319......`...x...#~..........#Strings............#GUID...........#Blob......................3................................ .....................O.......................c....._...........}...........6...........B...........................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Drawing.Primitives.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):133424
                                                                                                                                                                                                                                      Entropy (8bit):6.077871799095023
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:DN8FFc4yeP4SyuvmH00N6no5WvCIp4oRcreUiY:eFFEimpjHo4eA
                                                                                                                                                                                                                                      MD5:9436B672EF85B0060E417B93E6F4CD05
                                                                                                                                                                                                                                      SHA1:589C7567B4B9FBCFC69048DF509A8F401F31B49E
                                                                                                                                                                                                                                      SHA-256:FA7D94825EC7ADEF2171952CE5A176B74CF97CB3C7A792A83A0CC03EB4A3B071
                                                                                                                                                                                                                                      SHA-512:A322D1D8D45CF3E5DEA7288BA1C192D5792D0C409A6F0140846A302AF5C33BC4AFC0D11DEC81384B7CCFF8F9B66BFF1F1C20B6A357B3D6AA95A91B1A06BD3E50
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....|............" .........0.......................................................'....`...@......@............... .......................................-..........0)......<...H...p...............................................................H............text............................... ..`.data............ ..................@....reloc..<...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Drawing.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):20776
                                                                                                                                                                                                                                      Entropy (8bit):6.428726027972037
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:v8iP7uC8MYITetNPBw7vaWxAtWdYA6VFHRN7DkELRPR9zjOmxk:vRMPD8FClQQ9zKl
                                                                                                                                                                                                                                      MD5:72E86E777EB37C25309D9CA02FB173D2
                                                                                                                                                                                                                                      SHA1:958DBEA0B0EC16624B24F05A13633642D929A3C0
                                                                                                                                                                                                                                      SHA-256:4EF5CE2DAFC66D495B9D075EB30AA5DC5C32A84FBFB2903E57E514A7BB4ACC96
                                                                                                                                                                                                                                      SHA-512:E15CA60C6D30BF4A661B51D7034E055224A89B108CEBA7FEF13C9246391E46DC05D35E6F46AD6FB0D115CAE7DE6371F6CCAA71695D56A84C9FB9DEFEFC8FAA36
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............b=... ...@....... ....................................`..................................=..O....@..X............(..()...`......0<..T............................................ ............... ..H............text...h.... ...................... ..`.rsrc...X....@....... ..............@..@.reloc.......`.......&..............@..B................A=......H.......P ..`....................;......................................BSJB............v4.0.30319......l...\...#~..........#Strings............#US.........#GUID...........#Blob......................3................................................s.#...C.#...~.....C...........d.`...U.`.........*.`.....`...!.`.....`.....`.....`.....`.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.C...+.Y...3.o...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Dynamic.Runtime.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16680
                                                                                                                                                                                                                                      Entropy (8bit):6.6920378205912305
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:8YwoCMWs1CWSYA6VFHRN7xo0yzxIPaR9zEs4M:8ToF+FCl+0yzxOW9zFh
                                                                                                                                                                                                                                      MD5:61F1E563B3D2F94B3392CD568254FCE8
                                                                                                                                                                                                                                      SHA1:E5F006FBC73D470081D92C2DFD47C13382D78438
                                                                                                                                                                                                                                      SHA-256:9E24A4F9235027AB72D2480FA54EB291AC46E86354F240426CD8FA0FDB2BF197
                                                                                                                                                                                                                                      SHA-512:4CFA20B326B7729D1483CB1AEBBD261A4B6FCC46948C91C4EC844D34038ECBF94C84AD6959AE499AD8C7F05D72C2CF1A19A1C09BC5D25B1B98A81A51B8712357
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.,..........." ..0..............,... ...@....... ..............................L.....`.................................e,..O....@..................()...`......x+..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l...<...#~......h...#Strings............#US.........#GUID...$.......#Blob......................3......................................&.........W.............................j.Z...9.Z.....A.....Z.....Z.....Z.....Z.....Z...w.Z.....Z.....#...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Formats.Asn1.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):244000
                                                                                                                                                                                                                                      Entropy (8bit):6.507233565279823
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:IgsUsdJHsqVpPq+Pu1Nr7tXAjsEpN0Qif+H7zgiuG4krZAuZAt0/+9MyQ4UjIPKx:zTs/Hsq7Pq+67qjhp+QifaCtz9VTKp
                                                                                                                                                                                                                                      MD5:CDF076CA69511E705F6F5B753098F9AF
                                                                                                                                                                                                                                      SHA1:90D319A2C2206528DDC216C4B7A55F3011EBBAF8
                                                                                                                                                                                                                                      SHA-256:689C8742BA53CD02774B1E7A94C9C9F15767C4BF4FCBCE2B801B916329BAB51A
                                                                                                                                                                                                                                      SHA-512:1ADABCFBB98CAE2AEF81ECC4C7E3E423E02955691FF0B6FA0733EC764CD94DEA6CA9A3F2797D60760E28FE053F7797F77F3DC8B854A627836C020B569B05E13D
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...,............." .....@...@......................................................h.....`...@......@............... .......................................P.......... )......h.... ..p...............................................................H............text....=.......@.................. ..`.data....*...P...0...P..............@....reloc..h...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Formats.Tar.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):272664
                                                                                                                                                                                                                                      Entropy (8bit):6.5102889309866585
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:OhWQ+7dHwUJgHKaDh3ZQDQKEtS5SQTc3XPOsu1t4jnX4Sly4cv8zq/xv642ucUpX:Y5+7NIHCEJ9ly4DW/2NfpgzAmR
                                                                                                                                                                                                                                      MD5:41A6F214168ABD16EB912C85ACC09E6E
                                                                                                                                                                                                                                      SHA1:29441BB9FA6E8B7A3F058FD511490025C920246B
                                                                                                                                                                                                                                      SHA-256:4AAA042DA8CCF199E8131429FBE28B71A8547B3CB8ED20D3B6962BA6D45770F5
                                                                                                                                                                                                                                      SHA-512:B977AC9C155CEE618739A115A495EB92EF270A5B0DCA1DAAE4C78B836BE3A7D3EC06B030180AED0AD116C4DA6A98AE7185D919FE141A667AF6FEEADA0C72030C
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....!............" .........p......................................................Q.....`...@......@............... ..................................t....f...........)......L....%..p...........................................................x...H............text....|.......................... ..`.data....V.......`..................@....reloc..L...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Globalization.Calendars.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16168
                                                                                                                                                                                                                                      Entropy (8bit):6.766379214654712
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:c0sRqXWDRq4oRqm0Rq7WSYA6VFHRN7XgJ8KER9zly1O:9mqKq5qmuqFFClwJ8R9z01O
                                                                                                                                                                                                                                      MD5:D21C365011A6420D58FE6EBB86C5784E
                                                                                                                                                                                                                                      SHA1:7EEA87877D56968A80A940C5FDD72E7416CB666D
                                                                                                                                                                                                                                      SHA-256:C016FF9595BF28A1D507A8058BE786FD0EEA635569EAE5E27D8F7B0B8D2DE0F2
                                                                                                                                                                                                                                      SHA-512:FE74960971E974771D86195B317A5096412868654F151CA2BB1FF4E058EC8315AA19613C2423597A6C02F88BFFA4E6C05360C1143FE09306955DA48DEF5C9477
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c............." ..0.............>+... ...@....... ..............................H.....`..................................*..O....@..................()...`.......)..T............................................ ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P ......................l)......................................BSJB............v4.0.30319......l...p...#~..........#Strings....|.......#US.........#GUID...........#Blob......................3..................................................;...x.;...3.(...[.....^.................I....._.................w.................G..................."....."....."...)."...1."...9."...A."...I."...Q."...Y."...a."...i."...q."...y.".......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Globalization.Extensions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15656
                                                                                                                                                                                                                                      Entropy (8bit):6.821063767728242
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:2gKxRPWYRg7Rp0RjWCXYA6VFHRN7HoJR9zgwmL:2gKnN+putXFClA9zA
                                                                                                                                                                                                                                      MD5:0DEE67964FCB385F9FA8B7C3828ABCDD
                                                                                                                                                                                                                                      SHA1:831A65D098049E4260A24B7C6AF40B1F97E4D598
                                                                                                                                                                                                                                      SHA-256:07C60EF102AA7DFAD2BC691A9B4B9D827C40934C4E88029E19E9694267B93465
                                                                                                                                                                                                                                      SHA-512:277719C8981D6EE5F86E58FD6F1D554E9044B397A0598C4FABF7B7E6F8243A86C96114EA3DCAA80EF9942F47C60D0CB27DABF8CA081437A20A94312C4155DC52
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`............." ..0..............)... ...@....... ..............................5.....`.................................o)..O....@..................()...`......p(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..4.......#Strings............#US.........#GUID...........#Blob......................3..................................................8...x.8...3.%...X.....^.................I....._.................w.................G...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Globalization.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16160
                                                                                                                                                                                                                                      Entropy (8bit):6.706885767315989
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:9D3RLWdRMCRA0RHW7lX6HRN7U3GiNbZR9zBd6o34:9Dh0jAuSFWmFT9zz34
                                                                                                                                                                                                                                      MD5:1104F40E8469C5590E7EFF79F7CA7D20
                                                                                                                                                                                                                                      SHA1:D156ECD4719973DCD81AA14D1A5E25C403506E66
                                                                                                                                                                                                                                      SHA-256:B5809B99963888AA99A958A22982CDDD7235C09053466F2922C3AB120CBDE456
                                                                                                                                                                                                                                      SHA-512:2126C5FF977F4E1A1F1CD0D5E96C0AAB5476CE12C9EE14B3AB9AC7180C9483F681029C961E3031D82F788B2172F647FADFE99805BFAFD9A2625723B0C1E9273C
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...."............" ..0.............v*... ...@....... ...............................q....`.................................!*..O....@.................. )...`......8)..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................U*......H.......P ..h....................(......................................BSJB............v4.0.30319......l...T...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................D...........o.....*...........Z.....p.....?.......................&.....X...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Compression.Brotli.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):84280
                                                                                                                                                                                                                                      Entropy (8bit):5.88073044398993
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:pR6V+A9+/PACL3jKhNro9wbnjVZE+eU6phWpGzFT:pR0Z+3Ai+hNroebns+P6PsGpT
                                                                                                                                                                                                                                      MD5:75A8A0B838312CA85F7080E46E2AD772
                                                                                                                                                                                                                                      SHA1:0CC9A61CD1CFC94CB62E398161E55326AA746A34
                                                                                                                                                                                                                                      SHA-256:2172BDD60DDE91FD530473D4C8D7BD96EAD15CCE886B438F3B39363DE781C671
                                                                                                                                                                                                                                      SHA-512:770A19C2C1CE7228835AE58198CFA9CCB52E1D9AD246D18069354F0BD94D2A1A2BCFF430F59B5320026C625EB47CF2B6F650659E1F69D8E1AB5334AC806F63D7
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........0............................................... ......."....`...@......@............... ......................................|(..L.... ..8)..........@...p...............................................................H............text............................... ..`.data............ ..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Compression.FileSystem.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15672
                                                                                                                                                                                                                                      Entropy (8bit):6.764939082374204
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:5tfL/jFoPaWuJmW0xWxNzx95jmHnhWgN7a0WamLkoiINFPKBWX01k9z3A+olmV:PfLxKaWuJmW0aX6HRN7R1t8KER9zllV
                                                                                                                                                                                                                                      MD5:C804A5B35533C6C78ACDEB7928617388
                                                                                                                                                                                                                                      SHA1:C037FD5B022707FEA213F703C22682CB4A2C95FB
                                                                                                                                                                                                                                      SHA-256:1481A72E898D6A995BB99EFFFF60AC5CF4D49463A24DC23EA6F73B5E69E3251F
                                                                                                                                                                                                                                      SHA-512:EC938C04E946C36CB378A387D8E8EB679E16A43C4E0E75C6DA8A428E426B0EACBA7170758EB1199A45B18A1239EA61806ACA85FBAFF698D6FAC77B3FC8268F07
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.t..........." ..0..............)... ...@....... ..............................X.....`..................................(..O....@..................8)...`.......'..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ......................,'......................................BSJB............v4.0.30319......l.......#~..,.......#Strings............#US.........#GUID...........#Blob......................3..................................................U.....U...Q.B...u.....|.....7.*.....*...g.....}.*...L.*.....*.....*.....*...3.*...e.*.................<.....<.....<...).<...1.<...9.<...A.<...I.<...Q.<...Y.<...a.<...i.<...q.<...y.<.......C.....L.....k...#.t...+.....+.....3.....;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Compression.Native.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):831256
                                                                                                                                                                                                                                      Entropy (8bit):6.118714221658192
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:IAw//Ol2fDVo5pdHnbAHhlyZ8OXTw05nmZfRc5:IAwXDVabAPlAmZfRs
                                                                                                                                                                                                                                      MD5:C890CB767071D6E6231D7FC96B09812A
                                                                                                                                                                                                                                      SHA1:DA53E98E516F2482DAD274D7D37B98A9307669A0
                                                                                                                                                                                                                                      SHA-256:5146291E6AB9C284FB1FB9564C067A142B97CDBE66D8DAE6BA4E67CF52C66F0D
                                                                                                                                                                                                                                      SHA-512:11EBD9B4DDBC4B18724BBAB8E59A8FD41366CE4D4B4905351D7B4EB61019B4E6A146C389A3761D2B8459A947C39B77F9BFF2C825E38DA15F6476C54ABAB64CDE
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,..uh..&h..&h..&.8.'`..&.8.'b..&.8.'H..&a..&d..&.:.'k..&h..&)..&{?.'G..&{?.'i..&{?{&i..&{?.'i..&Richh..&........PE..d...Pa.g.........." ...(............P...............................................5(....`A.........................................^.......`..x...............d........)..........0,..p............................*..@............................................text............................... ..`.rdata..Lg.......h..................@..@.data...l....p.......\..............@....pdata..d............`..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Compression.ZipFile.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):55592
                                                                                                                                                                                                                                      Entropy (8bit):5.794508588818863
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:WrHCYlbejwSCGs6ZQyvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvB:WrH70jSVyvvvvvvvvvvvvvvvvvvvvvvZ
                                                                                                                                                                                                                                      MD5:78C22A26EF9F5B8411C0E3CF5AD7441D
                                                                                                                                                                                                                                      SHA1:0B6893BF383C5EE0A72FF0037D8D6A49D986718E
                                                                                                                                                                                                                                      SHA-256:7AB974DC21BA2583908C76AB1D341668B737C31D77A450C964D54579CC23DA5F
                                                                                                                                                                                                                                      SHA-512:C0B6A08BF8A91A27CC9D6C2B3AA6555DAF6F5F5F959A8D188B0054AD25CFA1C171954C45FA68CB09579B3306D4AAC6D3254FA477DCF036609AAEF2DE1CDB2839
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....l..........." ......... ......................................................E.....`...@......@............... .......................................!..........()..............p...............................................................H............text...8y.......................... ..`.data...A...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Compression.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):264472
                                                                                                                                                                                                                                      Entropy (8bit):6.548591134679868
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:pAindQCtmkal13Vn7vUoD2+bkf/B3q1GqqcJIbaIksoRirnnMpDTp/RbC++xMQPp:eidUT3tn3bwNKvco4roTpcaQPEamBHY3
                                                                                                                                                                                                                                      MD5:D9F34984A15B7E1651950F7FC4212AD1
                                                                                                                                                                                                                                      SHA1:E31F71380FCC9BA64847F0B60D8DB85671F83F85
                                                                                                                                                                                                                                      SHA-256:E595732C065539AB183FBD27CF5E42C63D11079F7ACBEAE455421B5E2E73B669
                                                                                                                                                                                                                                      SHA-512:FCB010FBCEAE2197AD927265DD5FA5A8CDE9E0859C127144A0DEC5E33592CCAE6CDD840F1CE15BE216EBDB6755374AD8D14162303219A4C2D5795AC8F267DC65
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........P............................................................`...@......@............... ......................................df...........)...........%..p...............................................................H............text....|.......................... ..`.data....;.......@..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.FileSystem.AccessControl.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):104728
                                                                                                                                                                                                                                      Entropy (8bit):6.04299609988956
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:xxkAAMNiDSjaabcPihEzfQHlDE7H+CAvpYx/K8yf9DSWXpzF:xxL3YuiA2dbi/f9DSypx
                                                                                                                                                                                                                                      MD5:7B8853FA50238165F45E3C6B33D6351C
                                                                                                                                                                                                                                      SHA1:5168A2CB788E45828329959A8BEB2ECBFB49112F
                                                                                                                                                                                                                                      SHA-256:3053AB194B17A8175155651B35D0FCB62F3D8F0C3078CBDC2627C4C7669042F3
                                                                                                                                                                                                                                      SHA-512:5A980D92DC624D433AA929B6643D05710058B71CE0FC85814C80421578E6BDF94A0900221B59DC8458DED615A655C809A5907D3960F0BA98AC2392A3B424B23B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...U............" .....0...0...............................................p............`...@......@............... ......................................P-.......p...)...`..........p...............................................................H............text.... .......0.................. ..`.data........@... ...@..............@....reloc.......`.......`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.FileSystem.DriveInfo.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):55608
                                                                                                                                                                                                                                      Entropy (8bit):5.425657754099587
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:FhuF4f/D8T5a9OkVAJM1/1PC0lr1sklWIk8R9zo:FhuKD8NawkV51/1a0J1sklW8zo
                                                                                                                                                                                                                                      MD5:D65CCF17AE03862430A708738F23980E
                                                                                                                                                                                                                                      SHA1:2946EC1A63DDE5130CA32274D34C02A70E0F3CA4
                                                                                                                                                                                                                                      SHA-256:D7BF8354D118851E2CF0934CE8AFF5DE79C12362FAB51107E8C42BDC20C2B39C
                                                                                                                                                                                                                                      SHA-512:DAD79CB469E724DAEB51B72611BEFEA74FE24029A5135C729B87DF2C81781DEB2ACAD08EDB0FA295ABA50C8C5A1AC41802528C5ADE8F3629538FE35B2A9347FA
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....7............" ......... .......................................................X....`...@......@............... ..................................................8)..........`...p...............................................................H............text....p.......................... ..`.data...E...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.FileSystem.Primitives.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15624
                                                                                                                                                                                                                                      Entropy (8bit):6.821694638098971
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:z1qGW/dqWMYA6VFHRN7eVXC4deR9zVj7qgTyS:z1qtgFCleVXC4dC9zVjBTN
                                                                                                                                                                                                                                      MD5:67EBDED0179552C303E213781BA5DB4E
                                                                                                                                                                                                                                      SHA1:BAC421FF4E7F2CE0CA3073294E19B6C19B587F74
                                                                                                                                                                                                                                      SHA-256:7C2AEF2BD75EB88874D980358D91C66DE8919DC887FA94CF1EDD770C3A8E5F74
                                                                                                                                                                                                                                      SHA-512:5A8EA7ABA4E118036898625CA47D6842EF0E5FB19DF1B847BDB5DFF73ED52ADBEC7CABB26D54CD8D44605178E355143814FAE6697ACA27FC292866A6302BBE8E
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............." ..0..............)... ...@....... ...............................;....`.................................k)..O....@...................)...`......l(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..D.......#Strings............#US.........#GUID...........#Blob......................3................................................!.2.....2..._.....R...........E...........u...........Z.......................A.....s...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.FileSystem.Watcher.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):88368
                                                                                                                                                                                                                                      Entropy (8bit):5.877540050029605
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:BRo/2qh+M5COJu0ZOqpE5fer4GRv33333333333333333333333333333333333W:BOOGVVu0Z5pw2r4G933333333333333m
                                                                                                                                                                                                                                      MD5:0713043930CD3C83563EC283D10742DC
                                                                                                                                                                                                                                      SHA1:88CCAFEB1BE351C16A3BBFDBC6E160031E3A9B77
                                                                                                                                                                                                                                      SHA-256:3B6BDFB5BAD16C2D2126EABB74A9859CA414FC75E6EB520E93D3A43ADBED7640
                                                                                                                                                                                                                                      SHA-512:BBAAB646F9BE8AE26E0AD00DFDCEC00F8F00968A594BF4C030D0272D2E8F6147413CB939FE4C1563A39AE2566532E429ED0D1362189EBF9205ADC12AADF26A32
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....P............" .........0...............................................0......t4....`...@......@............... ......................................p).......0..0)... ......`...p...............................................................H............text............................... ..`.data............ ..................@....reloc....... ....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.FileSystem.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16160
                                                                                                                                                                                                                                      Entropy (8bit):6.72885945570015
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:iW4RH8FxAvoeTbWyp2WUoWxNzx95jmHnhWgN7agWnY00pyEuX01k9z3Aly+KIQx8:34RH6FyWyp2WUHX6HRN7CEpcR9z0BSte
                                                                                                                                                                                                                                      MD5:5591B6C98BCFC539D04FB4116CD1D18B
                                                                                                                                                                                                                                      SHA1:330F3ED4D9B6546364FD04E78DB1EAC9CDAE050D
                                                                                                                                                                                                                                      SHA-256:4A61B376B6E77FC3FB20ED4ACDA6DBDCBE22D9BC30BF4E06925C003ECA391269
                                                                                                                                                                                                                                      SHA-512:F47FD870FA993ABFFB90C575AD94EFE1FA347944C0435102065146477B2BF1E60EF9493647538949EB19173F4864188F4D407D4B997A5FCB33E653C5A184E410
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....i..........." ..0..............+... ...@....... ....................................`..................................*..O....@.................. )...`.......)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ......................L)......................................BSJB............v4.0.30319......l.......#~......p...#Strings....h.......#US.l.......#GUID...|.......#Blob......................3....................................../.........h...................................J.......a...............-.............................../...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.IsolatedStorage.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):92448
                                                                                                                                                                                                                                      Entropy (8bit):5.820503518807393
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:JA3qoT3QvNN08kx2/YE3SjZwKPU7+GGlux8a5htWgEp4z+:JYq23QvNN08kxM3SjZwKPs+GGluxptXy
                                                                                                                                                                                                                                      MD5:7314D93D8AEA712CC1A2D9B72FBFEB2E
                                                                                                                                                                                                                                      SHA1:F9F213CFF762F5006742DF60872EA9B9172E7322
                                                                                                                                                                                                                                      SHA-256:BC9EFF07BA9B2C4F4DD82CACE1409A594CAAA263EA481FF7D095EE32170331D3
                                                                                                                                                                                                                                      SHA-512:5919A654FDFF9452CE14B0D9951C8B33DA0BE8693288AD6364CA4EC1D116B92884DEF110A5B807F02CBE1CFF6F00091107C8C17AA385F1B4BA582344D04C440B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...3.N..........." .........0...............................................@............`...@......@............... .......................................*.......@.. )...0..........p...............................................................H............text...m........................... ..`.data............ ..................@....reloc.......0.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.MemoryMappedFiles.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):84264
                                                                                                                                                                                                                                      Entropy (8bit):5.806191116216466
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:ROxV+zNttvCu2mNikiq7Zb8G/ve/caa9WkA6/iLzUiz:ROx0Ntt3Pisb8Ge/ltkAyQUi
                                                                                                                                                                                                                                      MD5:F77A293786087936DB47A5F85D028681
                                                                                                                                                                                                                                      SHA1:1F484F14468C4E28C61E04D20CFB77949F7F1E3D
                                                                                                                                                                                                                                      SHA-256:C4CE83776FAF64605E92041546DD886D7718AABDB79585F372822F4943F10CF3
                                                                                                                                                                                                                                      SHA-512:6E937A2C3A80E8B9058DB6C2389085765FD7A449753E4B3ED3DD9F2EA4ABF44DE45BD54E1F9F06AF2A1A8B3C876730898756D621A9DCA310C6430D47171B8557
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....f............" .........0............................................... ......j.....`...@......@............... .......................................%..|.... ..()......<.......p...............................................................H............text... ........................... ..`.data...`........ ..................@....reloc..<...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Pipes.AccessControl.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16656
                                                                                                                                                                                                                                      Entropy (8bit):6.745569370541998
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:2OeIbSlW+WPWuYA6VFHRN7DEpcR9z0B7QWd:2OIyVFClDEpw9zaEWd
                                                                                                                                                                                                                                      MD5:C9E5B4FB06655ACDF85805F9BFAABAA8
                                                                                                                                                                                                                                      SHA1:0434768A5419391C748787E55E7E43CCA69DECBE
                                                                                                                                                                                                                                      SHA-256:357478614E285906C5478249E1FFBEBF08D5B8FD508FEA854DB6632540FC2E47
                                                                                                                                                                                                                                      SHA-512:3DC99ECA3BD14B422C633FA12E081044BAA1756DEAD3D633BA338E7435B5630303ED53D39A681A018047EC4CDB97C8F028EFB91EC16E37F17F28F228F2E68A28
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3............"!..0..............,... ........@.. ..............................b.....`.................................g,..T....@...................)...`......`+..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........"..x...........P ......h"...........................................<linker>.. <assembly fullname="System.IO.Pipes.AccessControl" feature="System.Resources.UseSystemResourceKeys" featurevalue="true">.. System.Resources.UseSystemResourceKeys removes resource strings and instead uses the resource key as the exception message -->.. <resource name="FxResources.System.IO.Pipes.AccessControl.SR.resources" action="remove" />.. <type fullname="System.SR">..

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.Pipes.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):166176
                                                                                                                                                                                                                                      Entropy (8bit):6.346058751718644
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:VN2U8z8G2Xr0DUXHw8pLZx1w82V+qyp8E9o8vFM:TJ8z+4D98pLiE9o8vi
                                                                                                                                                                                                                                      MD5:E2998F0D8693BB46B40A210FA04F9BEE
                                                                                                                                                                                                                                      SHA1:645C748C1F9D738598BD8C272FE799A02B0D3D60
                                                                                                                                                                                                                                      SHA-256:1972A42C7B9045D102AD48081CD93DC4D96DAE9FF016F75687D4887D03D2920E
                                                                                                                                                                                                                                      SHA-512:B1B3F451E91DB813ED013FA4547E83F905A35D2A9E2EF557262EA234E1D9F0F2C4E5761F1E3C78A558C8DFB970D9FE47D987179927331915A8BC680B15E8D1C6
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........@...............................................`......;.....`...@......@............... ..................................T...|@..X....`.. )...P......H...p...........................................................X...H............text............................... ..`.data...6/... ...0... ..............@....reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.UnmanagedMemoryStream.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15632
                                                                                                                                                                                                                                      Entropy (8bit):6.829247129940496
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:PWvewMxAqj5WjB+WvpWjA6Kr4PFHnhWgN7agWzFY00pyEuX01k9z3Aly+aI4O:umwaJWjB+WvYA6VFHRN7wEpcR9z0BSO
                                                                                                                                                                                                                                      MD5:971EE5253BB544A7B2B3A1077C2C6008
                                                                                                                                                                                                                                      SHA1:FCE7DB0F757434DF870CC2113DDD67B893C56CE7
                                                                                                                                                                                                                                      SHA-256:5B614D49BBA36FF77CAA7A760A1E2C1642435A1FA949BF3BD25015BFFF91473C
                                                                                                                                                                                                                                      SHA-512:EBB00CFB6916B79A49FD1B6E0F9C7D77373B747D452466D09CD6689297287C8FE7AFE45E5C341B46998AE7D716D62EA88CE3B0EE26D87263C83DA4735FBE344F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G............." ..0..............)... ...@....... ..............................n.....`..................................)..O....@...................)...`.......(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~..D.......#Strings............#US.........#GUID...(.......#Blob......................3................................................$...........=.n.........h.....#.>.....>...x.7.................>...].>.....>.....>.....>...D.>...Q.>.................h.....h.....h...).h...1.h...9.h...A.h...Q.h. .Y.h...a.h...i.h...q.h...y.h.....h.....h.......................#.....+.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16144
                                                                                                                                                                                                                                      Entropy (8bit):6.68496802568185
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:7283vFlW2ybWaYA6VFHRN7Uxl/7R9zj2IU9S3N:K6F+pFClelF9z6R9C
                                                                                                                                                                                                                                      MD5:A341F35D1B875B0C07079117BA94DD5B
                                                                                                                                                                                                                                      SHA1:1302496E225CC36B8DDFC838CA39061936EFCE0F
                                                                                                                                                                                                                                      SHA-256:FFC7D4206C7B0C9E92C69A00120CE0859440709E8E5E5EB476572985EA040023
                                                                                                                                                                                                                                      SHA-512:89A55CCFC5E4ED80B44E92941CBAD65BDD90E48FC0874DC712F1549BAF557EC85A7BC960B18D304DB311D996918653A771A78808B5D5AB150B4B2DFD33A4A757
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..../............" ..0..............*... ...@....... ....................................`.................................7*..O....@..(................)...`......d)..T............................................ ............... ..H............text........ ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................k*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~...... ...#Strings............#US.........#GUID... ...t...#Blob......................3............................................................=...........h.....#...........S.....i.....8.............................Q...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Linq.Expressions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):3676456
                                                                                                                                                                                                                                      Entropy (8bit):6.685377818335155
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:49152:oQngtOBPgD5EUsp4Zq2daW7L2+K06Fs4sZ39SuDsFIW/pj:3GOB4Ombp8uDsFIW/pj
                                                                                                                                                                                                                                      MD5:B6A58A0AC1AF936FC5F14F8F2D44D1E0
                                                                                                                                                                                                                                      SHA1:0738563464D22751D4ADDFD268A57181CFBE562D
                                                                                                                                                                                                                                      SHA-256:F961C3396AADC6AD4475F12EBEA85743D01B015423FB216DAF3DA7A9B7F3ACBB
                                                                                                                                                                                                                                      SHA-512:41E3E393866711A811AD1E8F0E184905D4F790BCAC061F41BC42679ADE647A77B2861323FB2A3D7C78660C24EB45680FC72AB3953783C1137D428B8600F80FAA
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....<k..........." .....P1...................................................7......8...`...@......@............... ..........................................`.....7.()....7.,f...b..p...............................................................H............text...dK1......P1................. ..`.data........`1.. ...`1.............@....reloc..,f....7..p....7.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Linq.Parallel.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):805128
                                                                                                                                                                                                                                      Entropy (8bit):6.742092274429004
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:Hb8dNdBKT9DzuU4/sKE5QmSfc+1yQgdYWrwG00eK0CszcyYoq:Hb8jKT9PuO5QmaryQgdYef0ZK03Hq
                                                                                                                                                                                                                                      MD5:1E9DB6EC85E31D87782D10CB2A5A6132
                                                                                                                                                                                                                                      SHA1:FF0B9CA05BAAA3028874E6CEC5FAF4188F7B28BE
                                                                                                                                                                                                                                      SHA-256:7004CF19931E4688247A28AAFCD46992E1184C782EA9F6BE3C4491D327355C31
                                                                                                                                                                                                                                      SHA-512:9AD6BE73F1C89A4901AF2011B051D8874903466733196C211AC114361090605BB647034CBB70CA828C5F2637F19E2656A1771516F2564B111B8F4E46DD273058
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" ......................................................... .......)....`...@......@............... ......................................x....d... ...)......T.......p...............................................................H............text............................... ..`.data....U.......`..................@....reloc..T........ ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Linq.Queryable.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):174376
                                                                                                                                                                                                                                      Entropy (8bit):6.299213446161007
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:KuskFLsWejwPAJ+DF8mPOfww59JK6tLUaS0rm:FswxQKAkOmPOfww59bUa5r
                                                                                                                                                                                                                                      MD5:04C98DD367C3C081624578459663FE4D
                                                                                                                                                                                                                                      SHA1:56976D550298BE9F9DE1BCB30D73D588426941F8
                                                                                                                                                                                                                                      SHA-256:7EFDA8EA3ADC84870CA399F1973C1B48963E034158E5C8D184D97E86C8733BC3
                                                                                                                                                                                                                                      SHA-512:B40AA4DD1F6D4A5723C79C3AD1C206C00671B1E9A243BA911BDCDCBDB7573C28D702BCC06E80A6882BBCBBD19A0BAF6B89047067EC11E1A4DEFD9B8B289F2E4B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....*..........." .........p......................................................Bj....`...@......@............... .......................................+..........()...p..........p...............................................................H............text............................... ..`.data....V.......`..................@....reloc.......p.......p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Linq.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):543016
                                                                                                                                                                                                                                      Entropy (8bit):6.741951464470459
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:cNYb37ypY1hh8r4bdhR+JU1/0kxryufbFHJMyS5IH/YzIhMxjCkoTcH3:MYb3GS1hh8rwdh8UxeEvAE+mI3
                                                                                                                                                                                                                                      MD5:6ED1EA9A8EA41D939DA714D97F063993
                                                                                                                                                                                                                                      SHA1:833F7561D58C8336E4E937DE1A2320DB45BE1432
                                                                                                                                                                                                                                      SHA-256:A2FB9DD804188E44948A53C4165815F5CCCDE4CF5FED19988377AF84E86EFCC8
                                                                                                                                                                                                                                      SHA-512:0A0A197AFD26FC51BB32C6A1799D31FFD1F29E9A580C67AA43141F1E7252065791C9728A0595D0B330EF232D34E082DFB544E08CA72210CB8A290FFE4340E8D1
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....(............" .....@................................................... ............`...@......@............... ..................................4........J... ..()......H.......p...........................................................8...H............text....1.......@.................. ..`.data........P.......P..............@....reloc..H...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Memory.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):157992
                                                                                                                                                                                                                                      Entropy (8bit):6.472585497766165
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:xGyySN/j+0sbFbqX63vwZuIBo7M5F8966oYddCBuqmwehtTihdMU:eSCb6oIBo7qDGdCBuFhX
                                                                                                                                                                                                                                      MD5:1E158B6E320633CA794113EEF60BD35B
                                                                                                                                                                                                                                      SHA1:BD6BC89189E4546ABD4B24C3196C60CE2C2A473E
                                                                                                                                                                                                                                      SHA-256:536310FAD46E9710E2378E6AB65715489C267B13A08AD96139978D97974BD282
                                                                                                                                                                                                                                      SHA-512:B3C89D7F57F69D3E7B0EEFEC4E4F5E6FC56D3023032F8631E126A48B8068A30B2394FF74E9AD5FAB4D8719E42A22D8003B27B60F1A5E009986216AC4D9961356
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....a..........." .........@...............................................@......!.....`...@......@............... ..................................D....6.......@..()...0..........p...........................................................H...H............text............................... ..`.data....".......0..................@....reloc.......0.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Http.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):129328
                                                                                                                                                                                                                                      Entropy (8bit):6.199319743810756
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:AeiSzjfIwHAOaaRHg/OnTRRY4beHqSZkXs3pMGeh2C:NfIaJxRHgOnN4Zkcydf
                                                                                                                                                                                                                                      MD5:4248D1CB0BB05ECFCF5D97BF2C556E40
                                                                                                                                                                                                                                      SHA1:BCF119421A620917E41CC1C668849FEA3225DC21
                                                                                                                                                                                                                                      SHA-256:AEDF0405E5333C565A1544FF91E2B1DEEBCE8FF75345F90D9A8A3126ACEF669F
                                                                                                                                                                                                                                      SHA-512:16C94D5D6C7559C8065159524F867862C112731470F8919DC755267B9CD1E94AF1162A25771DBD2371107132B9AD5F17CA504F86AB1F54AB47B31D2911F5B5C4
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...,............." .....p...P.......................................................O....`...@......@............... .......................................4..<.......0)......l...0...p...............................................................H............text...Qe.......p.................. ..`.data....8.......@..................@....reloc..l...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Http.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1730856
                                                                                                                                                                                                                                      Entropy (8bit):6.690299064412809
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24576:PycBozKb96UEnyPwWwnxuNnQZJjD2E1SMR/S5IP616zF1IMx1s:hBozy4UQWwwNnQ//lSMRKa0
                                                                                                                                                                                                                                      MD5:5FEF63054D9A2786E932F48D0EB8C7DC
                                                                                                                                                                                                                                      SHA1:36718C8A24757E6DA65DDD30AFA78691EFE014BF
                                                                                                                                                                                                                                      SHA-256:D88A1E49EC7FE3EFEB41FC61E453CD22468FB729DCF451BF3B1E0C53179077D3
                                                                                                                                                                                                                                      SHA-512:475A3E2DF1AE4987CA2E696D0E28E5888379700D86D496268DE72163B46D67D1CA3E336E23B88F7F0BCEE3D4714CE4695E82E6F55010C435E06B1E65194A7005
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....2............" ......... ...............................................@......,.....`...@......@............... ..................................T....J......@..()... ......`o..p...........................................................X...H............text............................... ..`.data........ ....... ..............@....reloc....... ... ... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.HttpListener.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):551216
                                                                                                                                                                                                                                      Entropy (8bit):6.570850705797673
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:umIF66bAc4F/B7VRZ3KY1B0hZJ6c7fkDNRd2B/hy13n5EWZgsgG4qikXOG4drZ9:TAAc4F/BJ1uZJZxhS3iWZgZQOzr/
                                                                                                                                                                                                                                      MD5:F30FBE5D270D3C1D1BC8103D79E80F0F
                                                                                                                                                                                                                                      SHA1:CE5C4B14BEC108F97310390A18FD989A1C1E7D29
                                                                                                                                                                                                                                      SHA-256:41F81F076D63745AEC9008452DFE5494390507C914D7ED0250571F8AB3721D12
                                                                                                                                                                                                                                      SHA-512:2913F9871A991FE43077AB2EF577E2EA03FD0A1DD2135ED72AF0532CD0ED0879858E8B55CCB0A8D876364A10DA45287ADEED5E80E9F2AD27D8E1E55AE8900056
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........................................................@.......f....`...@......@............... ......................................\...0*...@..0)...0.......,..p...............................................................H............text....s.......................... ..`.data..............................@....reloc.......0.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Mail.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):432440
                                                                                                                                                                                                                                      Entropy (8bit):6.566239028494259
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:wrcqVeM9GnQkW0a+Sdjoe9kDu0GeFowMR5JJLmqRSxnJ8kkG1BL0q3+lsK:Ue40aFP9H0NMBSxvL0AEh
                                                                                                                                                                                                                                      MD5:2C96EE7E735BA59488B6A339EDC04420
                                                                                                                                                                                                                                      SHA1:29CA05738467C74F9D5E7078043CBC1118E1C3EB
                                                                                                                                                                                                                                      SHA-256:E3EFE9F1852535908C7EC2B1B473AA5917D0BED5D0BD2C7D5DC77B603ADF8279
                                                                                                                                                                                                                                      SHA-512:94B6A5D24EC7CC15991FC7C3C86A6A51D04E7112AB595163F4DA6CD2FC2D6E38540157C1CBE703D72764EF73C4ABD4E707D4D0FF3E1268FF0AB04AD842A1D680
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....L............" .........................................................p......t.....`...@......@............... ..................................T........)...p..8)...`.......*..p...........................................................X...H............text............................... ..`.data...mr..........................@....reloc.......`.......`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.NameResolution.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):112904
                                                                                                                                                                                                                                      Entropy (8bit):6.14105129338038
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:kKN4B8OosZjsM/flInEhNRKdRxRZDFauWFsXwYUivYtzf/:kt8O7GMF+E/RgjvDWFsAFCgD
                                                                                                                                                                                                                                      MD5:830154A3A12519882938F7367080CB2A
                                                                                                                                                                                                                                      SHA1:B7464994D56D3F8E615EE56A5A6228C52E6E374E
                                                                                                                                                                                                                                      SHA-256:67D6CE9D3592927FDF25BA715F0E6AAA06A11EB41C13615234CA508813CD7D0B
                                                                                                                                                                                                                                      SHA-512:FD0B691E44E75A85211E0D58D199A2631CE74656FBEC186F1AE3841C93694F395E4C1B64EE14BBF703056EF0F41B111E334E32CA55456EFA11D6FF890238F042
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....@...@.......................................................q....`...@......@............... ......................................h1...........)..............p...............................................................H............text....7.......@.................. ..`.data...B$...P...0...P..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.NetworkInformation.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):157968
                                                                                                                                                                                                                                      Entropy (8bit):6.293376030261192
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:2RppMzz2p/xRtqbqW/gU/ULVXyVMn9Qk2e0tnz:YIzypRQb5sd2ll
                                                                                                                                                                                                                                      MD5:0D567DB735EE434D9D42C330D9FE4CE9
                                                                                                                                                                                                                                      SHA1:AFD1A4C53D18285523221E2E0BC2E757D2B64925
                                                                                                                                                                                                                                      SHA-256:D3C0790E53540E6715DB61B512EFA719FD8E195781EE85913FB8832677203BAB
                                                                                                                                                                                                                                      SHA-512:4AA7F32051774ABED9FF97FC16178773BF87E853A0BD554E27CFA5D393570A1A29C47F0C9FD2262FE7551335FC2687AF416CE4DC78C484D594B743E41244D523
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...../..........." .........@...............................................@............`...@......@............... .......................................9..8....@...)...0......0...p...............................................................H............text............................... ..`.data...T&.......0..................@....reloc.......0.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Ping.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):96552
                                                                                                                                                                                                                                      Entropy (8bit):6.101125548127868
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:47fyYP9J1fwwSctO9hswiUgYwlFbmj/gJR7SfNNJkZphyNVMifz:4hP9J1fZE9hsw4YcNm0JR7SlfuphyNVd
                                                                                                                                                                                                                                      MD5:979452EEF74DA1EF02DDED73AD00E0F2
                                                                                                                                                                                                                                      SHA1:2B213C43E085910EE1584D09FEC913837E00FE15
                                                                                                                                                                                                                                      SHA-256:13428704A113F49B0D6A5324BDCDC47F8D725BD139600F0E8DB5A5DC37884680
                                                                                                                                                                                                                                      SHA-512:4FA9F5FF0BAE7754A8F8C9044153157ABFCC687A1768C63830E2633BDAEDB0A86923E55CE36748AE43EC3B8E79E78C6E9E710290208442501EE248241244071B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....d............" .........0...............................................P.......D....`...@......@............... ..................................T....,.......P..()...@..(.......p...........................................................X...H............text............................... ..`.data...,.... ... ... ..............@....reloc..(....@.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Primitives.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):231736
                                                                                                                                                                                                                                      Entropy (8bit):6.473177149043323
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:AnDBNI7bgAZrgyBHSchuzeQ4Ak64myD6uJQ+Y6MFot5PQloV2O1wcdu:S7I7bgAZrB0cgeQe60RJNtN5V2YDQ
                                                                                                                                                                                                                                      MD5:D8CEDA452779306A13FF2F310CBEFE60
                                                                                                                                                                                                                                      SHA1:4447F82C5A1207B244A0AAEBCE3AB3530CD2BD81
                                                                                                                                                                                                                                      SHA-256:93FA4AD1590D704DB6ECAAFBE2E388A5318212CB0A4CE435324EEE0268A11C56
                                                                                                                                                                                                                                      SHA-512:7E736F6E0B57F5D527DEDB0B91291DD3EB1FB0324E5E349C4206A025FE3CEAF5B3E1F21F44653F9C6FCAA41BFD8742B4D37BC5B1BEBCD84378D2A52AE9A64F22
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...2e............" .........P...............................................`............`...@......@............... .......................................U.......`..8)...P....... ..p...............................................................H............text............................... ..`.data....7.......@..................@....reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Quic.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):280864
                                                                                                                                                                                                                                      Entropy (8bit):6.508318800576785
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:NpnhH0ESsuurvHsPNTiiJe7ryKSIqqTxM8uGljRc:LhH0ESsuMHsPje7rAsMwlN
                                                                                                                                                                                                                                      MD5:1E9B9E443C93C2C10B5ED5A18A6F373A
                                                                                                                                                                                                                                      SHA1:8F3D2DEA48ED2B29178BCDC998ADD696D101D5FF
                                                                                                                                                                                                                                      SHA-256:24674D754F8DF968CD688EDB57D76CC0D19CA8556FB233B228DC43265F23AC65
                                                                                                                                                                                                                                      SHA-512:42BF6AD8C6707F3924AF164F3ECA305678E39F5343C96EC1415D37D1EDADFC0CAC2A7BA619D16B721999909EA773221748905E0BC7A35C9DC641C06A8662DD3A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...4.Y..........." .........p............................................... .......)....`...@......@............... ..................................T....b....... .. )..........x!..p...........................................................X...H............text............................... ..`.data....U.......`..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Requests.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):346424
                                                                                                                                                                                                                                      Entropy (8bit):6.517886198613069
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:eDpG2K8Efzpt5rc1EGrt5e15/ftXIDndDpek+fs3CU1S5m:upGp8Efn6GG7enfsyHgCU1v
                                                                                                                                                                                                                                      MD5:15453335CBB5A8C13B6C3579CB27EF44
                                                                                                                                                                                                                                      SHA1:4290DC1F4674F46AF1BFCFA2CAEFDAF6E29D5236
                                                                                                                                                                                                                                      SHA-256:2AF7C808F26966E6F607C5E64F8D0117301E0EB3BD830C0731C7B1C2811FEC5D
                                                                                                                                                                                                                                      SHA-512:07C36FF474FB60609AD531CCA73B3ED3B6B7EE2F764DEE61F17108D9399EB07627D31585108BE25FC7161CF018893A0FD91BA70E0D1640D48F842376C00CB6B9
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" ......................................................... ............`...@......@............... ..................................t...p....#... ..8)......H...P)..p...........................................................x...H............text...j........................... ..`.data...=n.......p..................@....reloc..H...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Security.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):669992
                                                                                                                                                                                                                                      Entropy (8bit):6.743467370555766
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:eXujiG31ToS7RD8B8XmDeXPRkUhIP1dD/m1p6X90QdsAYcNCyJ:eXRGneOkDDI6NVS7cT
                                                                                                                                                                                                                                      MD5:346732F74DAD8A8D557FB494D5636E63
                                                                                                                                                                                                                                      SHA1:3943BDF4BFB6E4F1A79AB5027BA7E2CC3A88FDB4
                                                                                                                                                                                                                                      SHA-256:F8D695445499BCC4CA8A41436DF9167B3A730EE0FECF9DC2A40E998C769EB1B8
                                                                                                                                                                                                                                      SHA-512:65E678314C4566823A491CCE1E8EF674E5B78CA1C11C67F86C4EC92FF609D7F66FE9B3433123387ED644B044B7B670BFFC490769C87A9A8D11E868999FA0B18E
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" ..... ..........................................................lJ....`...@......@............... ..................................t...h....7......()..........8+..p...........................................................x...H............text............ .................. ..`.data...h....0.......0..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.ServicePoint.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):47384
                                                                                                                                                                                                                                      Entropy (8bit):5.320340299131119
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:djM1jzxKx7KzNzY7okroiIpPMOWOYe9zHz:djM1jzsRKB6ovi6WdazT
                                                                                                                                                                                                                                      MD5:92C47820207565CCDF190FBA0C055297
                                                                                                                                                                                                                                      SHA1:4695E165E2C162393FF43BC86731C50E8AB2C380
                                                                                                                                                                                                                                      SHA-256:613B5DC25C72833A5A75BA80C59CFB4CF5522C7A6AD39D2D27A005CEEA72C857
                                                                                                                                                                                                                                      SHA-512:B0204A39FC18FD854517E3C90A7459151602F8B6142F622FF168E12C49EBAA9B9BB0E27A87CE708947FF17D526E12A41EC7958AB7A9DEFDC4FC0AA8C3D2596EA
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..............." .....`... ......................................................\.....`...@......@............... ...................................................)..........X...p...............................................................H............text...HU.......`.................. ..`.data........p.......p..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.Sockets.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):547096
                                                                                                                                                                                                                                      Entropy (8bit):6.628823968958786
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:ZZ1V7iKdtxaGNUL2Sdr5Nzv0SOFjdP0E/0NYv:ZZ19ietxaGDSzxOt6EsI
                                                                                                                                                                                                                                      MD5:E4D73542713F8FB1DD0E7E5E142443CA
                                                                                                                                                                                                                                      SHA1:2D4C8B35C2EFA76C1FE95D0107B40781C51E4EC5
                                                                                                                                                                                                                                      SHA-256:928CB763462984DF68C19B44B41CF27D002F8B5CB4EF8BA8EB8A6F0602F6B2C8
                                                                                                                                                                                                                                      SHA-512:204EC8A2D43C30F2673C4FC7E6543EA0CE71DDB56C0956B0B1B2D8B53A34745E12A09206D6D1B8A8CB019A3D69324DA068687DACCE87255F98421F3723D399FE
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........................................................0...........`...@......@............... ..................................t.......|8...0...)... .......4..p...........................................................x...H............text...8........................... ..`.data...az..........................@....reloc....... ....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.WebClient.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):170264
                                                                                                                                                                                                                                      Entropy (8bit):6.42995613243351
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:Pl6InCEQ8/qNIJ55jOpC2poY3ykJ9rijMFpR/8NM:QXEv/8IJOvpFFH8a
                                                                                                                                                                                                                                      MD5:F87B4ABDB9661C494CBFC3A1A6F1939F
                                                                                                                                                                                                                                      SHA1:5948DD100146C6E2966E5E57A967B990EB6D6D48
                                                                                                                                                                                                                                      SHA-256:E92BA4FCBE48EB14259778EC442BF6330A85517D290675E02C7BDDF8C6752ECA
                                                                                                                                                                                                                                      SHA-512:B3A55EFC33150937E48385DE402362C4112B51B78C6CFBEACA749997295C4B0CCC9BAB301F69F6C79E4897BAEB344FF273B7897D79489BB0C33ABE7A6A277045
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...GbV..........." .........P...............................................p......;.....`...@......@............... ......................................dK.......p...)...`......@...p...............................................................H............text............................... ..`.data....8... ...@... ..............@....reloc.......`.......`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.WebHeaderCollection.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):67872
                                                                                                                                                                                                                                      Entropy (8bit):5.782301099321138
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:/SmwVOWqRmRfYtHQ0Yx82s88krahmqOwA83qJKAFE6WHKV6q6G22N7XK6RH4wqY0:/ShAWqxbYx82s88krahmqOwA83qJKAFM
                                                                                                                                                                                                                                      MD5:1F48CE4F560C515D93BE8E631C6639F6
                                                                                                                                                                                                                                      SHA1:0CA5F7790AEFC8927B37149B8ED9EDCBDD054872
                                                                                                                                                                                                                                      SHA-256:7E1855C9965554D7164BA73D355BCAC2E28C7E253D35D07F58F718B8CB037730
                                                                                                                                                                                                                                      SHA-512:C2879328B25CE351C3DFDDE6AAFE1148BEC7499E261FD9FA6380026D17EBB17EC008F4E07F81E08DA90744DF8454FE479F45454BCDEDC105B35AC7316700C9F4
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...../..........." ......... ......................................................8.....`...@......@............... .......................................!.......... ).......... ...p...............................................................H............text...J........................... ..`.data...............................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.WebProxy.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):43304
                                                                                                                                                                                                                                      Entropy (8bit):5.4543981044661525
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:n3WpvwWJRCJtK5ZkEun+JBTeZDeRbOkKsdEbCLv+CTFLfyO5Ei066gaiGkXYA6VS:n+jRCJWDKCEtOmo6jiJXFCl+ds9z
                                                                                                                                                                                                                                      MD5:C77A9EC63CC7588D5C7FDAE75CA4BA0A
                                                                                                                                                                                                                                      SHA1:912B2FB046EFC6152755A79CC4FB20A096F74483
                                                                                                                                                                                                                                      SHA-256:B28FA5FCE149A161C1619A8C40A6B25F6FCB0F44E4C0580B721D38F024AB3CB8
                                                                                                                                                                                                                                      SHA-512:6788378D707983AB8DB891E489E1169A214A9E54D400522D6E39FB89B4130A885213947AB3F3AB05201D5AA68B629912E68AB52A05438DD8272DF3C6DF7A08DC
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...IE............" .....P... ......................................................I.....`...@......@............... ..................................t...............()...p..........p...........................................................x...H............text... L.......P.................. ..`.data...=....`.......`..............@....reloc.......p.......p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.WebSockets.Client.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):100656
                                                                                                                                                                                                                                      Entropy (8bit):6.037382679706859
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:p3Y1cu9IUexVQtU3/+wUpHK+yT7G7bw0LCEOsW8zu:p3Y1cDl8tVK+U67bw0LCEOsPy
                                                                                                                                                                                                                                      MD5:F60FC5DF9579B7807A41F83996A92336
                                                                                                                                                                                                                                      SHA1:F1DFFEF2B7B52DAD59C93B438CD8C9FC8237310B
                                                                                                                                                                                                                                      SHA-256:5AF953EEE1E6B527EDB09EB3D51265A08BF0CAA9B57A1064176C7A726E464A35
                                                                                                                                                                                                                                      SHA-512:A74D1D0AB4AE318792443D65B1E8F039DD63FEC0BF12E8C140C4C0DC5B28BC6760D17751D8C08C339C43ACF05FD42F6F68E625B7F4E45CAF31A14A979BE55050
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...6&............" .........@...............................................`............`...@......@............... .......................................,..<....`..0)...P..x.......p...............................................................H............text...s........................... ..`.data...s!... ...0... ..............@....reloc..x....P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.WebSockets.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):190752
                                                                                                                                                                                                                                      Entropy (8bit):6.370812726125536
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:c2OHqla+5t0nMuTBUuzyDbYCOi+dWuWVyRAIUQeu0IeW+domJM9wNYLbkbmvhZdu:MHqla+/0HdaO1QzIeW+doCmvhnE7mNxa
                                                                                                                                                                                                                                      MD5:68AF5E566C3F92B8B5D435E8CF0E4C6F
                                                                                                                                                                                                                                      SHA1:C29C05434C7CA82A0BF15A60CB2D4542483A51BC
                                                                                                                                                                                                                                      SHA-256:5418618458AA64E2695F6F51F51101E0AF961AA884E37EF2CA4212513DC87912
                                                                                                                                                                                                                                      SHA-512:47606C8E0B9642933A81221B91CBBF7FC06424EEF1A37581E5C165DCAC9279C145253CE34D32009BAECB80EF847013FDC355C343C4C7C67BF51843D6A2700CC1
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...\9............" .....`...P............................................................`...@......@............... .......................................L.......... )......d.......p...............................................................H............text....Q.......`.................. ..`.data...O7...p...@...p..............@....reloc..d...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):17688
                                                                                                                                                                                                                                      Entropy (8bit):6.619310311563334
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:m313DLE8RCWovVaWWdX6HRN7IOO2IR9zJgIV:S13Dq+WLhU9z9
                                                                                                                                                                                                                                      MD5:E1BDFB0A3C2077F217E94626A9C84D37
                                                                                                                                                                                                                                      SHA1:4485FA68954A681EAB2A6C6BB5006645AA63FB39
                                                                                                                                                                                                                                      SHA-256:18A45C63385C3F59BD8A503939E2E5C7CD327E2C03219A550E016D6A7CFEF468
                                                                                                                                                                                                                                      SHA-512:8D004D51503A92DC1878853DCD028D7865F22392FE194DEE0CEF6DF0B0A0E040BD2F4D33F4F0524DCB130E39359AF9506A6D0F894CE3D6FD16AA54A2CC67C61A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.dll, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g............" ..0..............1... ...@....... ...............................#....`..................................0..O....@..8................)...`......./..T............................................ ............... ..H............text...$.... ...................... ..`.rsrc...8....@......................@..@.reloc.......`......................@..B.................0......H.......P ..$...................t/......................................BSJB............v4.0.30319......l.......#~..|.......#Strings............#US.........#GUID...........#Blob......................3................................6.....x.........................../.......L.................................p...........................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.C...+.Y...3.o...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Numerics.Vectors.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16176
                                                                                                                                                                                                                                      Entropy (8bit):6.720152735363345
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:yhliwxY2gWa0BWjsWxNzx95jmHnhWgN7aIWTFf/A81BHX01k9z3AZfzpqTJL:yhHbgWa0BWjzX6HRN78f/AIBHR9zQkJL
                                                                                                                                                                                                                                      MD5:D548C14C3C17E640DAF27A76707F3BD0
                                                                                                                                                                                                                                      SHA1:8318BD1AE48BFFF8D0C5609E511BC5C10C8DFE7D
                                                                                                                                                                                                                                      SHA-256:D15A0768577C9E75A3D6FB94D580ED1E32994F4B971BECE03E6AD6EF7FD3518B
                                                                                                                                                                                                                                      SHA-512:D57139F4FD99820FDA6BCFFAD86F818125678E7E543B2C68DFDA4EE0C3547E003B290B5DCE23ED43A6D9B3CC739159E151039BC8B1D26A851CCCE4DF287A0FFE
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k............"!..0.............n*... ........@.. ....................................`..................................*..L....@..................0)...`......,)..T............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P*......H........ ..\...................P ......................................^..C...wn.|2..)..E..Z'...N.. ./..I....Z........a..PP..=F..=....i...... D..R....03...n.....[.Q[<o....q@...:V.....6E._V....y;BSJB............v4.0.30319......`...8...#~..........#Strings............#GUID...........#Blob......................3......................................D.........]...........v.................\.r.....r.....`...8.....0.......r.....r.....r.....r.....r...}.r.....r...........6.....

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Numerics.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15624
                                                                                                                                                                                                                                      Entropy (8bit):6.743391402121608
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:sF7xIOUCtWeQNW4pWjA6Kr4PFHnhWgN7acWOedNx6RMySX01k9z3AcyNaxQGEHo:K1fWeQNW4YA6VFHRN7edGMR9zPyr5Ho
                                                                                                                                                                                                                                      MD5:C9FC19DB9FE74066786403B4829EC5CE
                                                                                                                                                                                                                                      SHA1:12240200EC9DC0A64B141761DD2ECF7CCF4D4480
                                                                                                                                                                                                                                      SHA-256:8CECA85D001CFBF974FA37ED8C64CF97B619DCA942501EFCF22D4F369BA42292
                                                                                                                                                                                                                                      SHA-512:3FD206570AB29DAC923CAA7E1FBB32AE855D7814559534637EC381412CAD6AFB89FBAB99BDA21BBBA975554ECF5955B60D2129F5DECB50D70477E1A4BEC7A18F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9.(..........." ..0.............^)... ...@....... ..............................+.....`..................................)..O....@..X................)...`......,(..T............................................ ............... ..H............text...d.... ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B................?)......H.......P ..\....................'......................................BSJB............v4.0.30319......l...8...#~..........#Strings....\.......#US.`.......#GUID...p.......#Blob......................3................................................'.f.....f...e.S...............K...........{...........`.......................G.....y.......-...........%.....%.....%...).%...1.%...9.%...A.%...I.%...Q.%...Y.%...a.%...i.%...q.%...y.%.......:.....C.....b...#.k...+.....+.....3.....;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ObjectModel.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):80184
                                                                                                                                                                                                                                      Entropy (8bit):5.8034670220183395
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:anwUGEl0HKXrgcCGfN2QSsMWrHGe36XWD09zgS:0Dl0SrqQN0yHGeqX0O8S
                                                                                                                                                                                                                                      MD5:1E2A3C3FCAEE389C04D33C18F3B09599
                                                                                                                                                                                                                                      SHA1:6BECEBD105CEDD72DA755A49720D79F23F43C3BD
                                                                                                                                                                                                                                      SHA-256:447E24F4BFAB9D7F23DC204B632817DDF933AFD89222CB396402B471DFCA99D5
                                                                                                                                                                                                                                      SHA-512:A2BA95117DC9937E60E304384107C09DBBD12EA1BDD3B6210D2088CF10A9A6AA8CC09C83522E54F9F884055FF7072CA4D231273B0DE0BD4E66175E865AB13009
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....(:..........." .........0.......................................................u....`...@......@............... ..................................t...d%..........8)......T.......p...........................................................x...H............text...o........................... ..`.data............ ..................@....reloc..T...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.CoreLib.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):13175088
                                                                                                                                                                                                                                      Entropy (8bit):6.846434850139803
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:98304:FdVXzmQ6u2Pf1F1HpwajX4p92QKxV36FChEqiPVGK5+k+uiCi:9WuuT1HSajXgJgV36FDqM5+tuxi
                                                                                                                                                                                                                                      MD5:8B5EE62ABDB7B72F418D797FE73F2521
                                                                                                                                                                                                                                      SHA1:77582007964CBB215278267691A255B63ABE5FFD
                                                                                                                                                                                                                                      SHA-256:4CD6810B4EBE8D6E1F5928F2026D257C112380D33B557A60BCFA9C7F2BB012E8
                                                                                                                                                                                                                                      SHA-512:870EF275E1E8D1607E2B22EB25F1F05F99346B54651BC119D809BF21F1A6F041EFF801B3B5E1FFBB1897975FEB2C3AA47B3699CC4C63ECA8E3E6A60387AB4BD9
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...J.c..........." ................................................................}.....`...@......@............... ......................................(r..|.......0)...0..@...8...p...............................................................H............text.............................. ..`.data............ ..................@....reloc..@....0.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.DataContractSerialization.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2083120
                                                                                                                                                                                                                                      Entropy (8bit):6.7084204593562475
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:49152:zEe18SlNT7q8K+sb8VI5fCImJ1MxOouLs32DL2v6EI6PN:zE8Riy6PN
                                                                                                                                                                                                                                      MD5:3E4914FB86B55E766730BBA2CF5F9710
                                                                                                                                                                                                                                      SHA1:AA6EABD6462F7898FDF34FA71355190A1B915F07
                                                                                                                                                                                                                                      SHA-256:96C38BE90900D54FDE8D6DB1B3DE8377C07DAF21E99976D6A3474A9511E3EFC6
                                                                                                                                                                                                                                      SHA-512:1B5749D910B8B5564F8D125A5AD62218B3BCFE190692D82F5101A8E53DC604060E3D9211B34EAAA6A9094C03529D6CE0196766AB5F266BEB8064B41314834EB8
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....6..........." ................................................................X. ...`...@......@............... ..................................$....[..........0)...p...'..(v..p...........................................................(...H............text...;........................... ..`.data...X...........................@....reloc...'...p...0...p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.Uri.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):260408
                                                                                                                                                                                                                                      Entropy (8bit):6.615538060259084
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:AfAAcZcInBPKCeDc6Ci9MG3CMeVmtGNFsGu6MyXO:HFKDciMG3HamtGNfuV9
                                                                                                                                                                                                                                      MD5:FADC9E1672EBA182AD57E6FF27DF1797
                                                                                                                                                                                                                                      SHA1:774C74089FCEA3AFE0C7CA1A0B496C999392900A
                                                                                                                                                                                                                                      SHA-256:DC01ED420EF427086F0057013D7AC1CAC07E2483E4CFC162D09DF1B64553892C
                                                                                                                                                                                                                                      SHA-512:0650F9ED9C86103CC66871B4558BA9AE291273FF5E0DC0FA7468F3636AC6896CAA8C9EA714ED821B55A519C6E1B1F5BD26D6DC7196F8F2BBA6215F355A2BE602
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........@.......................................................<....`...@......@............... ..................................t...XS..x.......8)......8.......p...........................................................x...H............text....{.......................... ..`.data....$.......0..................@....reloc..8...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.Xml.Linq.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):403768
                                                                                                                                                                                                                                      Entropy (8bit):6.602276363545423
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:oxERCkFa5oBSKGFCoMPxSOpXQgVuThCDCaY+zrZjzEOQlIZPKN:ouRZM5oHGhU/4WCt+z1ffZo
                                                                                                                                                                                                                                      MD5:1BA13843CFE69115B69B9734F08D8C1F
                                                                                                                                                                                                                                      SHA1:D16B4DE6A429D77A9B418E545072B6540AAE10BB
                                                                                                                                                                                                                                      SHA-256:13602313FC8BF7F6BE2183DFE3F07B10CCE450566D7CDE619C238D05137338A9
                                                                                                                                                                                                                                      SHA-512:382DA8E0580447BEF35B2813212634513B6F180664ADB7A3DE072D92FD9485495905A13A0A40319B2C0FF02C2A05549697C1A6BB651C2A42E9F172EB1D9BD68D
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....}a..........." .....p...........................................................X....`...@......@............... ...........................................-......8)...........*..p...............................................................H............text...vb.......p.................. ..`.data...Sd.......p..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.Xml.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):7989544
                                                                                                                                                                                                                                      Entropy (8bit):6.802297198301812
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:98304:CgB/y99HaDD1OMe3dpE/dhYw2knN5WUFX5cha:v/uaDD1Ox8YoFX5cw
                                                                                                                                                                                                                                      MD5:E166C44D116A2A649FB8BF58B8DEAE69
                                                                                                                                                                                                                                      SHA1:E66C37FBA5E3C405DD21C464343B87E173F1FB45
                                                                                                                                                                                                                                      SHA-256:79CDAEFC221388C3E5B9AFA137F8E4A44366CAC0CCC617BF1F5B6CA0DC95F3F3
                                                                                                                                                                                                                                      SHA-512:852C80299D20B6D5D7EBCA7C3D76DA1EA36CED6274374AF8ABD8F484C356321090E784F8C5E8357D1B4F6AC49DD48F81A6642D0D95682BA92C50E07EC25A20EF
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ......s...................................................y......z...`...@......@............... ..................................t............y.()...Py..h.....p...........................................................x...H............text.....s.......s................. ..`.data....Z....s..`....s.............@....reloc...h...Py..p...Py.............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.DispatchProxy.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):76048
                                                                                                                                                                                                                                      Entropy (8bit):5.943118914884181
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:2NTs7klOJRVNvKzBMuSxRWHJQZYoqNTJodiOEp4z0:2VxlOJXNvKKxRWnNN2xXQ
                                                                                                                                                                                                                                      MD5:202192E1AEDBDBD47B4C755227C9F174
                                                                                                                                                                                                                                      SHA1:FB61C5557319FA1BBF82302AEF46C331EFD8348B
                                                                                                                                                                                                                                      SHA-256:F625AAE4F7A839B16834764BCDEC5F8008A5171AB1AF77277B4861B077078D25
                                                                                                                                                                                                                                      SHA-512:EB87E36BA74192A177D9649E3B583A72B15C8AC3B8ECD991A56D449EBE99E2CCB3D667FB937055623584EDA6B271658784F9BBB51343843D3317F311C2980154
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........0.......................................................2....`...@......@............... .......................................$..|........)......P.......p...............................................................H............text............................... ..`.data............ ..................@....reloc..P...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Emit.ILGeneration.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16176
                                                                                                                                                                                                                                      Entropy (8bit):6.7440217236656395
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:EXWj9xP9WVTUWDeWxNzx95jmHnhWgN7aIWjYe2YHnsTX01k9z3A1Rrn:vjH1WVTUWDlX6HRN744YMTR9zUR
                                                                                                                                                                                                                                      MD5:AB6EE54636B88E5FE0DADCB9F24D907D
                                                                                                                                                                                                                                      SHA1:FAEDDCC767249EF0208A907DB50ECAEF1AA1F91F
                                                                                                                                                                                                                                      SHA-256:7C85F57B009B38E7F62DE0437A652966DB39134DC95527E3F60EA1B3334E23EA
                                                                                                                                                                                                                                      SHA-512:5131F86CD07BF1BD434E039EE7F0BBBFDF772F5C01EBD6F0968B5E6E5567F0C4130E7621B7D4489698A77BE6543D256ED4217CDA84E9178ACA1FD0F70E507DFE
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."!..0..............*... ........@.. ....................................`.................................?*..L....@..................0)...`......4)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p*......H........ ..d...................P ......................................V{.U^i..7`..8.Q.Tw.YZ8......\@9...7C...L.....v...y.%.....-...l..>.*#_.........[...+...d@~....Pu.j(...lt..........O../BSJB............v4.0.30319......`.......#~..l...D...#Strings............#GUID...........#Blob......................3................................................"...........;...........f.....!.b.....b.....7.................b...[.b.....b.....b.....b...B.b...O.b...v.............

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Emit.Lightweight.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16152
                                                                                                                                                                                                                                      Entropy (8bit):6.719210609725614
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:7nnux2kmOWxEVJWWWGkWxNzx95jmHnhWgN7acWE1AJvxwVIX01k9z3AXaKrPDs4Y:wpWxEVJWLSX6HRN7T1w9R9zEFrbw
                                                                                                                                                                                                                                      MD5:F6781A08C2B18C6D751821744820B6C4
                                                                                                                                                                                                                                      SHA1:F10227DE4488F3E6E753D4FBD1D1C017A5E23205
                                                                                                                                                                                                                                      SHA-256:9356D1216420F334FF6DE21F1ABC93609EC7B037471453EC722DE89CEA954D45
                                                                                                                                                                                                                                      SHA-512:1270DB17862A22352BC8737B88B33C4FFD03146F2DEDE9F8DDB144D1F26BB8FFA35183FF9E99EDC408D7E14524D4C6CF82E833B4992446C982778A842C050D23
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Ss..........."!..0..............*... ........@.. ...............................D....`..................................)..R....@...................)...`.......(..T............................................ ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ......................P .........................................>..B...u....z......q..p...h.ea..U.1M@..)4..y...z.W.+..qJ...Sy8...F|.......W....?e.c2..........`...,.2.eS.R.......1W...}`BSJB............v4.0.30319......`.......#~..4.......#Strings....<.......#GUID...L.......#Blob......................3................................................0...........I.k.........t...../.E.....E.....>.....~.....~.....E...i.E.....E.....E.....E...P.E...].E.................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Emit.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):129312
                                                                                                                                                                                                                                      Entropy (8bit):6.1169104642443894
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:qShk64jKiEAYbKatyLJBsVkrc10FBR7yqwA:y55fSe7sungq5
                                                                                                                                                                                                                                      MD5:F3C93B3779D56D80D784BA712A74C9FA
                                                                                                                                                                                                                                      SHA1:AED1E91233D0DFD1937354D4A94C5447B87259BC
                                                                                                                                                                                                                                      SHA-256:5BE721DD3FEB1E56284390D592B81C1885F50BBEB567C53EDB8DDC1CD3210DD4
                                                                                                                                                                                                                                      SHA-512:A1CEC4E076613695FCA1336B4C40F4EAE2F049CA5CEE522EE4082F3BF74C3704DF41655E00A806365A216110A7997DA0375DF74F5CA58FF072647ED80E352BDB
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....+)..........." .........0......................................................3.....`...@......@............... .......................................+..l....... )..........0...p...............................................................H............text............................... ..`.data...Y........ ..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Extensions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15656
                                                                                                                                                                                                                                      Entropy (8bit):6.793667220027114
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:Vv8XzrxAlvUWKZWWGhpWjA6Kr4PFHnhWgN7aIWxn+EYHnsTX01k9z3A1Nmjl:VEDlAUWKZWWOYA6VFHRN7qpYMTR9zUc
                                                                                                                                                                                                                                      MD5:92E0E5A63D25B9C3AE3983FD1B126A8D
                                                                                                                                                                                                                                      SHA1:AF7095C2D4D58A19F205ACEF1019064905F44EF5
                                                                                                                                                                                                                                      SHA-256:F006C1DF74494ED22ED0ACE97F4D3D1A8B2B5C65DE706D201B76146FDD5EA6EC
                                                                                                                                                                                                                                      SHA-512:92A3F172F88E4BCE2B7651801D7FBDCC7C5BBFC242D60FD416EC6DDDADC4E0BB98ED24979B0FCB008B220D7EB93EE45C4DC39E4B030A4F9F23AEA94FC8ED82CC
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............z)... ...@....... ...............................=....`.................................%)..O....@..................()...`......,(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................Y)......H.......P ..\....................'......................................BSJB............v4.0.30319......l.......#~..(.......#Strings............#US.........#GUID...........#Blob......................3......................................................x.....3.....4.....^.................I....._.................w.................G...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Metadata.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1116440
                                                                                                                                                                                                                                      Entropy (8bit):6.644311003487164
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:/3e0zkmiwp8+2KFhA8WDlLeO9om5EoA/mSdWDURfeGWFbrWuoDzAVdrN:/3e0rdp8ihocOWm4/iamGWFbB3N
                                                                                                                                                                                                                                      MD5:64E6830F63DE5F8F82A4F45BB5AAC4E1
                                                                                                                                                                                                                                      SHA1:3834E21EAF634DD532FC3D77B9F2449BF9F384CB
                                                                                                                                                                                                                                      SHA-256:A82DA76C39DD2287B580986C9D21E7405E3B9D43953C1856AD9036E117462A2E
                                                                                                                                                                                                                                      SHA-512:EE57142DD8A3036F0D545408FD68B325FA614615412E94F49536C391C009809EEA17E17BA3581A8DB4C2A56DD3E761A21A7BA3458E537F086270A45099504928
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" ................................................................Ny....`...@......@............... ......................................@...........)...........W..p...............................................................H............text............................... ..`.data...A...........................@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.Primitives.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16136
                                                                                                                                                                                                                                      Entropy (8bit):6.781423994083627
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:giSI4jCaxPtdWSx+W3pWjA6Kr4PFHnhWgN7acWbRQRfKDUX01k9z3AyCWtQG:GPVdWSx+W3YA6VFHRN7PpR9zldtQG
                                                                                                                                                                                                                                      MD5:92BFDBCC5A2A2BC7DB8AB7A1D759B827
                                                                                                                                                                                                                                      SHA1:09C260B069057E7EDA73BAFB78DB6F5A5968F5B1
                                                                                                                                                                                                                                      SHA-256:081035E2019F5614F08BBEE64BA2D4B93958A6F1F6EC7CAD305109519DB07C9C
                                                                                                                                                                                                                                      SHA-512:C43D173D96D9743A5917F02F4299A36A15C99252C271DC5076EF80DA0ED06088A8300DF7F31301F937E641E6B91FAB7AD1F5F0B6A57AE4DEF5196884F71F1ACF
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....J..........."!..0..............+... ........@.. ...............................8....`.................................5+..V....@...................)...`......8*..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p+......H........ ..h...................P .......................................5....To.*.r..+L@el..... wO[...&...BC...|(.u./.z.N.~.#.....Q7....(.~>H].L....%C..n.P........L.>.D9....s8....'.......?..BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3......................................3.........@...........Y.................?.g.....g.....`.................g...y.g.....g.....g.....g...`.g...m.g.................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.TypeExtensions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):43312
                                                                                                                                                                                                                                      Entropy (8bit):5.201190108733127
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:oCWmBeW8p0YckPuTNRyVP0a+SKuD6tdjRGxX6HRN7j81zxIPaR9zEa9:o4qckWTwD+juw6Wj81zxOW9zT9
                                                                                                                                                                                                                                      MD5:E58204BCE15E07EC0E3A9E1BE50DE9FB
                                                                                                                                                                                                                                      SHA1:E9EB5D8BA8AB976B0FB4A8A267898145DB7BA2F8
                                                                                                                                                                                                                                      SHA-256:1C5AC607683FC37DCEC16FEDD9360DDE2A214444596E3C2EA922EEB0C5E22EE9
                                                                                                                                                                                                                                      SHA-512:D38BB77B4E253748E18AAABF8817A7CFFC802A5E42E889107A8763B1833F4550D313EBEBC7290079023A4617E1533D2CA3F78A2017908901B0A50496EB589BA7
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...}............." .....P... ............................................................`...@......@............... ..................................................0)...p..........p...............................................................H............text....G.......P.................. ..`.data........`.......`..............@....reloc.......p.......p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Reflection.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16664
                                                                                                                                                                                                                                      Entropy (8bit):6.685947251423688
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:y+CkNQKYxA7qjWhFCW0WxNzx95jmHnhWgN7agWBBXLrp0KBQfX01k9z3AA7OfL:ytjXjWhFCWbX6HRN7oRxB+R9zpifL
                                                                                                                                                                                                                                      MD5:6AD5CAD80276892BA4CC02B27E85BE12
                                                                                                                                                                                                                                      SHA1:7333C6F4682AD9C77D9FC319DFA48372A5CA321A
                                                                                                                                                                                                                                      SHA-256:ACD8F3EA0B145517E9DBE2D276B174DF4C7EBAAE28ABA62EE2303A8AFC83235F
                                                                                                                                                                                                                                      SHA-512:5C010AC745B3DBB5D22149DC8C373B2ECC9D9EB38566714FF23119C4FB0BC03B4A49607DFC073DE5912DBD8B4583E80C1E528CD5710C1865CD1CD18CC7CC08C6
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............,... ...@....... ...............................T....`..................................,..O....@..h................)...`.......+..T............................................ ............... ..H............text........ ...................... ..`.rsrc...h....@......................@..@.reloc.......`......................@..B.................,......H.......P ......................4+......................................BSJB............v4.0.30319......l...l...#~......|...#Strings....T.......#US.X.......#GUID...h...|...#Blob......................3................................"...............M.............................q.6.../.6...........6.....6.....6.....6.....6...m.6.....6.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Resources.Reader.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15648
                                                                                                                                                                                                                                      Entropy (8bit):6.7745107157816
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:nhDOxAmBW4+3W27WxNzx95jmHnhWgN7agWPDucADB6ZX01k9z3AqRariR:OfW4+3W2UX6HRN7EucTR9zlRarM
                                                                                                                                                                                                                                      MD5:B60D236051B2ABCB66F74C4812223C62
                                                                                                                                                                                                                                      SHA1:8786DC5545047F56D1C909265841212C203ACE2C
                                                                                                                                                                                                                                      SHA-256:4EE54B35DE61268A3C9DB9A80DB5F005B49C134F5E9CEDCC0B31CDC2D120058C
                                                                                                                                                                                                                                      SHA-512:93873F04B3C5B8F962DD376DD7A3B0672F85F086C5E8BA08478488740D8DCE9D77679B8524E210CCF4F2386D8CE5CDFFE17C2709C79897C7F477A6ACB4D59AA5
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`5............" ..0..............)... ...@....... ....................................`..................................(..O....@.................. )...`.......'..T............................................ ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ......................\'......................................BSJB............v4.0.30319......l.......#~......h...#Strings....t.......#US.x.......#GUID...........#Blob......................3..................................................%...x.%...3.....V.....^.................I....._.................w.................G...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Resources.ResourceManager.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16136
                                                                                                                                                                                                                                      Entropy (8bit):6.723144015881292
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:PaO9uvWV6zW+mYA6VFHRN7DgFDR9zTPUz9/:Pl9unPmFClDkl9zAz5
                                                                                                                                                                                                                                      MD5:066BB1ECF94BF9C15F39A89C55AE70EF
                                                                                                                                                                                                                                      SHA1:B711BBAD6052C4BB53D8BEA0DBB9FA64B3402DDB
                                                                                                                                                                                                                                      SHA-256:78EA4958BBA58923073533245EEC77810C34DE5C4D7F8FC5F2DCB20503C39068
                                                                                                                                                                                                                                      SHA-512:610558F4B5CF6F72921B3BABE28CA842EFCE97A85FA4FABAD91FB8EB92ECBCF5154A52E185965347974720D0E377239DCBEFE00940F4F28BA78A6438A8B5547D
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....!..........." ..0.............n*... ...@....... ....................................`..................................*..O....@...................)...`.......)..T............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................M*......H.......P ..H....................(......................................BSJB............v4.0.30319......l.......#~..|...,...#Strings............#US.........#GUID...........#Blob......................3................................................9...........U...................A.....A...........A...r.A.....A.....A.....A...Y.A...i.A.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Resources.Writer.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):51464
                                                                                                                                                                                                                                      Entropy (8bit):5.757823712774265
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:tIc32LPcTNq2irs+I3312/gb04IhFCloU9z64:tZGLkxq2iy3F2c0Rifzl
                                                                                                                                                                                                                                      MD5:474F5DACA75A68CCB27640CA24FD360A
                                                                                                                                                                                                                                      SHA1:68A5F5EF287E31046B5B90C58DD4D9727E0B1E1E
                                                                                                                                                                                                                                      SHA-256:9175EF26F74399E465C8053B142704EFD03727FE9837A5EC608433A417DFE326
                                                                                                                                                                                                                                      SHA-512:E5620657ED62AA0C71ACF5E8FEC0ED47857C7776868D2374A5F48ADC9AC7F2D4DB46B055C4C9732BF315EDA9FFF78F9347570B7A2AFF6E25D9602CA8647B1D88
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....[............" .....p... ......................................................!.....`...@......@............... ...................................................)..............p...............................................................H............text....k.......p.................. ..`.data...............................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15672
                                                                                                                                                                                                                                      Entropy (8bit):6.804784998922409
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:m7xAvH5HmWgJ2WQkWxNzx95jmHnhWgN7a0WECSj9BtaFFX01k9z3Ay3myt5D:MCgWgJ2WQLX6HRN7JCc9WR9zBT5D
                                                                                                                                                                                                                                      MD5:C491FA202B388C62A783E9E7B8219531
                                                                                                                                                                                                                                      SHA1:4DB62FCC3451FE365B96AC8F6AFB8B36A310D0A7
                                                                                                                                                                                                                                      SHA-256:2DC6D8D20AF5A36257AF1E816F289F3F21611E811DBE9AF20966E5D4E701B7E1
                                                                                                                                                                                                                                      SHA-512:2046C41F7F5CD99020FA5784B8656636CE6AD2EC35295AC580704314622841812F4293C08847C01AE2DB833AEAB4DF2DF59BC33812423121FD1DFC9FF42A04FF
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............J)... ...@....... ...................................`..................................(..O....@..................8)...`.......'..T............................................ ............... ..H............text...P.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................))......H.......P ......................h'......................................BSJB............v4.0.30319......l.......#~......d...#Strings....p.......#US.t.......#GUID...........#Blob......................3..................................................4.....4...Z.!...T...........@...........p...........U.......................<.....n...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.CompilerServices.VisualC.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):31032
                                                                                                                                                                                                                                      Entropy (8bit):4.668485682155773
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:eWsCLWChjxoeaVEEfX6HRN7hq+GkELRPR9zjOCI:NBpapWhqGQ9zK3
                                                                                                                                                                                                                                      MD5:511A6CD95CB5E50ACC7C7B97F8DE3531
                                                                                                                                                                                                                                      SHA1:3AE756447C028A59CBCFB20CEF96483337DE4B5B
                                                                                                                                                                                                                                      SHA-256:2CF2328B2BB67EFB7A4021E6B1093282826A7D221BD3B3B57C145E5E13374456
                                                                                                                                                                                                                                      SHA-512:033E5553663D65A66007021D5773BB3046C2B24D51A991C83E1B025170E9D04B910273467CBAEC9CDE12B79DB10E2C9685AF5722BBACD603EEEA5ACB565F4788
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....b{..........." ..... ... ...............................................P.......6....`...@......@............... ......................................$........P..8)...@..........p...............................................................H............text...~........ .................. ..`.data........0.......0..............@....reloc.......@.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Extensions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):18224
                                                                                                                                                                                                                                      Entropy (8bit):6.562338179216365
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:5/Sj5rt9x+vFW8gNWXNX6HRN77pGR9zqYI:5qj1tSOIW7Y9zPI
                                                                                                                                                                                                                                      MD5:33FB9BBBCBA3E7BBBD7BA9216958008B
                                                                                                                                                                                                                                      SHA1:7660B39FDF52E35EDF106D6900F2C7862121EEA4
                                                                                                                                                                                                                                      SHA-256:C31F0812B87812A10627C8603CA265E1A33927047134B1DD5CE69356869E250C
                                                                                                                                                                                                                                      SHA-512:D51FD4D60B53C8BD23BC285FF34C447CEB517C3E402A8D61DB397996C3800F268B4F0ABEBEAC12BF42B608506EDCBF66CC4A27E46C0842B9BA149DAB61E5F01D
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y............." ..0.............22... ...@....... ....................................`..................................1..O....@..................0)...`.......0..T............................................ ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H.......P ......................l0......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................I.....3...................................................i.v.........N...........%.....B.....5.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Handles.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15664
                                                                                                                                                                                                                                      Entropy (8bit):6.814505381555342
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:6lfzxAd9sbIWAZmWwXWxNzx95jmHnhWgN7aIW2a3YHnsTX01k9z3A1yb9:AftoObIWAZmWwYX6HRN7+YMTR9zUg9
                                                                                                                                                                                                                                      MD5:5E4C20E0A38D62A629E7009686E20264
                                                                                                                                                                                                                                      SHA1:27459AD6B3431B3B522CBD4AF7CB8DA84618353D
                                                                                                                                                                                                                                      SHA-256:FF10134A6AB7612D6AA2A368B1C6F3173A30CBB1ABF8D517C97895DE72132F2C
                                                                                                                                                                                                                                      SHA-512:5F11D193335F8556E66A040B1D29B18BEEDEB2F3FF1DE4E59D278E9B9E45464F9B5389C7815DB5A8889BCCB754F9B7F6E58B4535FF749CC33FF701B43516CEDA
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{..........." ..0..............)... ...@....... ..............................z.....`..................................)..O....@..................0)...`.......(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~..D.......#Strings....0.......#US.4.......#GUID...D.......#Blob......................3................................................(.`.....`...f.................L...........|...........a.......................H.....z...................(.....(.....(...).(...1.(...9.(...A.(...I.(...Q.(...Y.(...a.(...i.(...q.(...y.(.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.InteropServices.JavaScript.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):51480
                                                                                                                                                                                                                                      Entropy (8bit):4.96736494913135
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:bOxGMiFMwIIARptGdwWxroe+MH1Q+k71pb52BWAD9zh:bOwMiFMwIIAR3GwWxUezVzkjbeWApzh
                                                                                                                                                                                                                                      MD5:B3CBC3F39F271F7E23A0959D2C4A26CD
                                                                                                                                                                                                                                      SHA1:FD29277A423DF0E2C107E3C306228C665767E99E
                                                                                                                                                                                                                                      SHA-256:B5415B6BE10C1E87BF8FAF4206471EAD93E0AA4F445CA8CD9F35B8EAF8158D90
                                                                                                                                                                                                                                      SHA-512:A0D7B80F572ACFA60B92CBBDF06EDE4050944281D96E419DED9C014DA085387B2A9D841BC28E5DC88562BF92720E6AFC516E744E16FA4E9C4E6E1C173CEC744E
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....m..........." .....p... ......................................................._....`...@......@............... ..................................$................)..............p...........................................................(...H............text...Zg.......p.................. ..`.data...............................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15672
                                                                                                                                                                                                                                      Entropy (8bit):6.847005993457445
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:K7e1enxAbDNrWHDUWMqWxNzx95jmHnhWgN7a0W0kzj9BtaFFX01k9z3Ay3mKPUpc:KCUxQBWHDUWM5X6HRN709WR9zBbMc
                                                                                                                                                                                                                                      MD5:13D864886ED9DAF09E800B3851B4A05E
                                                                                                                                                                                                                                      SHA1:5F7DE3337CD71E167B6D70626D29DC7139AB765C
                                                                                                                                                                                                                                      SHA-256:357797FEA3E2F1FAE6DB8F47AA096BDC35707BEB16EA912019877812708841D4
                                                                                                                                                                                                                                      SHA-512:F561129CEEB84C4C0AE1C605887907E9ABA9BF20A5107828F706D3A5BD075C87C918B0551845208D81A1AD65CE7844044187430F943EEF8253FD257AC6E937F7
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C./..........." ..0..............)... ...@....... ..............................&.....`.................................{)..O....@..h...............8)...`......X(..T............................................ ............... ..H............text........ ...................... ..`.rsrc...h....@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..(.......#Strings............#US.........#GUID...........#Blob......................3............................................................@.O.........k.....&.7.....7...V.....l.7...;.7.....7.....7.....7...".7...T.7.................I.....I.....I...).I...1.I...9.I...A.I...I.I...Q.I...Y.I...a.I...i.I...q.I...y.I.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.InteropServices.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):96544
                                                                                                                                                                                                                                      Entropy (8bit):6.028171254215127
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:4o6MupEelCtJfKS6+67NspnSPM+l5+CkmVhKWHOiOyzUizB:4o6R3lCto+dSPM+rJkm7NOxMUil
                                                                                                                                                                                                                                      MD5:1DF866F691DEF4290407F5CF01B996AD
                                                                                                                                                                                                                                      SHA1:B2BA5AF3F80AAB63EF2FECF6341B44DEAE201AC1
                                                                                                                                                                                                                                      SHA-256:127EA3F2FF47CEA14C082B2ED22066554D22C9D8F97DC0D403B17042FAC62A5B
                                                                                                                                                                                                                                      SHA-512:6F96AEC2ABF7F6E96B7699F67CC8547334277C8E502E6ED357713C54B68FAF264B1843EA42E6AB0F7C6AD7DCC1098B9042E1D5F15E93DB6F8D346F613D1F6A1D
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....]............" .........0...............................................P......>.....`...@......@............... .......................................(..\....P.. )...@......`...p...............................................................H............text............................... ..`.data........ ... ... ..............@....reloc.......@.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Intrinsics.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):17208
                                                                                                                                                                                                                                      Entropy (8bit):6.6141833133111865
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:JYzYQZrDroWmyLWyoWxNzx95jmHnhWgN7a0Wdd7/mcj9BtaFFX01k9z3Ay3mIamu:JYkA3EWmyLWyHX6HRN7k7/mi9WR9zB7I
                                                                                                                                                                                                                                      MD5:66227035D9417A2E4B4FA6598FEA969C
                                                                                                                                                                                                                                      SHA1:398C254B721337177A5BB236D49CA6E2B218095E
                                                                                                                                                                                                                                      SHA-256:3A18C5B41B723D5DABA3088D621D4EB8DCEB97FA9B2C4A850D54FD4381DC3C22
                                                                                                                                                                                                                                      SHA-512:26D4059CB06967641E5A935B36A7AB50FCCE0B7374E62BFE275B2C138B46ED9B8CF1E4B1F7C029586B8D9DD913F736EEED8C7E489A5FF682AAEF67DC2202E0E5
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{............."!..0.............~/... ........@.. ..............................^.....`.................................#/..X....@..................8)...`......,...T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`/......H........ ..\...................P ......................................E....H.m`.D...&....z../.....~..%....A.:.~.bX...........d.kS..F.z...z.......*.....(..a .L.J~,&_kh.I.4..FNO.{B.-S.e.S.....j....BSJB............v4.0.30319......`.......#~..P...d...#Strings............#GUID...........#Blob......................3................................M.....I.........B.$.....$...[.....D...........A.............k........."...........{.......................b.....o.......$...........

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Loader.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16184
                                                                                                                                                                                                                                      Entropy (8bit):6.74808977719352
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:pDUElhzxNeW5ZGWnWxNzx95jmHnhWgN7awW59FeHqj9BtaFFX01k9z3Ay3mRcbe:dUEl38W5ZGWoX6HRN7g9EHk9WR9zBK
                                                                                                                                                                                                                                      MD5:4ED4A34C35F7B26E8E246D16C2DE6A53
                                                                                                                                                                                                                                      SHA1:2FD8657B37AE7750FE1CADC7D555041063CAF821
                                                                                                                                                                                                                                      SHA-256:F106DF84A047BA38B018AB7BBA10E2D2D6B2A5FFE5762CE8208C339AF3BB21C6
                                                                                                                                                                                                                                      SHA-512:3A7CC11E455ED511313366B5A2527BC52698B8958E9E7E20B56768C9561D10BBF13A2D327AE0467A5DC64F7643B8D16D6A65CAE1C4E1CED6F62360C9C535F90F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...pp............"!..0..............*... ........@.. ...............................;....`..................................*..X....@..................8)...`.......)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ......................P .......................................1cc=.m.y-v..Z......9,.....8.5.....R..k.....tk.MM.i....s.^.Qx.D#$..t...3......@<........gy+.n.....^...#W....$b*2..b.C...BSJB............v4.0.30319......`...(...#~..........#Strings....0.......#GUID...@.......#Blob......................3..................................................P...X.P...p.....p.......v...V.....z.....).......1.....1...?...........>...............................P...........

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Numerics.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):330024
                                                                                                                                                                                                                                      Entropy (8bit):6.652134966205565
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:K103Ufy7eeqvaM7BWp5lsQV57Q5t9dtIKcB9+:K10kfy7eeK7MlRV574t9dtUz+
                                                                                                                                                                                                                                      MD5:3ACFFC369AECF966DD9C9E1F6FB966B6
                                                                                                                                                                                                                                      SHA1:AA0A79D6AA6760A71B2A2E47E03BE0A43892FE1C
                                                                                                                                                                                                                                      SHA-256:55D0E21E8AD1F851E0803AC655D9FCA5BEDA6692592FEE421C179AF64109DA43
                                                                                                                                                                                                                                      SHA-512:DFB97F5F791CBBD7C308754BBEB4D63A0AFF098313113B931E74CF824F67B765D3667662840BCBA8DCC9BDB07960D83408B7227A1749A6905CD1851C7C0F15D8
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........@......................................................\J....`...@......@............... ......................................hn.. .......()......p...X ..p...............................................................H............text.............................. ..`.data...-#.......0..................@....reloc..p...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.Formatters.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):309544
                                                                                                                                                                                                                                      Entropy (8bit):6.565288812451409
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:lzv7WOXu33WPEei5EZNqHRk5XDiio9gZbzZYNAgk74dzzKL2zLjRByB+dhBDIoca:rWLtBxTDhcnFUB2aKg97zc0
                                                                                                                                                                                                                                      MD5:5D3970DB4A500B2349BFA20B83BD69E8
                                                                                                                                                                                                                                      SHA1:A4DDB5936ABE75A46A83A293771B2434E3C47A83
                                                                                                                                                                                                                                      SHA-256:748CCE10A02BBF3D24A1C6D7FEBFF0E5A8E7AE2E9C423BC904643B8D54FE6297
                                                                                                                                                                                                                                      SHA-512:3F57F56FF97E63FA130A204DA1B63811D0B77EEC9B41A70F12204855B395CAB6C6169972C20B149DB4EF6148313FCCBEAF6FDEC5F228EDC06400711F6E9C0275
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....I..........." ..... ...`......................................................+9....`...@......@............... .......................................i..`.......()...........#..p...............................................................H............text............ .................. ..`.data...'N...0...P...0..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16136
                                                                                                                                                                                                                                      Entropy (8bit):6.748110626945014
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:JkByVWbuodB5W+GYA6VFHRN7ykhpR9zldp:JkByWVdBRGFCl3D9z1
                                                                                                                                                                                                                                      MD5:44DBC666AD269986DA0AA1D4870DCC43
                                                                                                                                                                                                                                      SHA1:787AFE4CF6DA55E71A0BB946CCF9BF41FA0FA284
                                                                                                                                                                                                                                      SHA-256:53BDE641865F6240C7C7228809953607A2609B72D096197EC07495E44686F87F
                                                                                                                                                                                                                                      SHA-512:663BBD7021ECE6A80CE2E9A02AADA4EB5EEEE54155DEB5E389F28C3E45E7D4E31CD2E1C8A49D4F626CF5AC226B416C975AD76F0F4B4E8B756D136D950ED5019F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"!..0..............*... ........@.. ...................................`.................................W*..T....@...................)...`......P)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ......................P ...........................................!....Id|....I.;........( G.h...Fb..U.<A..YM...s...<7.i)h.'?.....]...-...c.+.?..P..mR.="..^......Y....(y[.qK..u.f....zBSJB............v4.0.30319......`.......#~..x...d...#Strings............#GUID...........#Blob......................3............................................................3...........^.......O.....O...a.....w.O.....O.....O...w.O.....O.....O...G.O...I.........................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.Primitives.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):39224
                                                                                                                                                                                                                                      Entropy (8bit):5.151825928966964
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:tHWFISJBrW2ANFdBha0I5qzv80n+a8+gEOR9pnUkO2akIGt6HHD9ax15JRXSCX6r:tqxJBgjaVyU+g99pns3KNWw9zn2
                                                                                                                                                                                                                                      MD5:977C08FFE5527A368DD5DC4F6E5743D5
                                                                                                                                                                                                                                      SHA1:A9BDBEC552469651D6B74AAAA211DB2895BAD869
                                                                                                                                                                                                                                      SHA-256:1439D12A15B1745DAC140FBBC659638D665A86F7ADDA6B4369D9F50E008256A6
                                                                                                                                                                                                                                      SHA-512:0A588E32424B43D3EA74A7A8FFD7F54BD069F4BADF7A4C134DB8A8A25EBC49FCB472A3F76CC08FC2C9FCA026AE8FF6E05A2C943E45D757B09447C105343664D8
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...w+............" .....@... ...............................................p............`...@......@............... ...............................................p..8)...`..,.......p...............................................................H............text....>.......@.................. ..`.data........P.......P..............@....reloc..,....`.......`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.Xml.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):17200
                                                                                                                                                                                                                                      Entropy (8bit):6.683002357395069
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:awskrZI8NuKRMWsBfBBgWP5X6HRN7Mz9bt5R9zEx3g:6krZI8NuKRiJBBTWIx9zP
                                                                                                                                                                                                                                      MD5:992AA05D8ABFFC669C94BD88A399D792
                                                                                                                                                                                                                                      SHA1:916EF573E5D82591100DD06C6A6FA8C80A7418E8
                                                                                                                                                                                                                                      SHA-256:D37E6A8F6B3882C3F601C80880E6A9721C42A175C29F553695B42C16774585B6
                                                                                                                                                                                                                                      SHA-512:087F0A38A67246FADB517F54A0BEBFD11D7725D90960822137FAA82A3661FD18033C9761E70BB24D7551C84902D07721E2D10D1C8250BB51C53385136F78485D
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....M..........."!..0.................. ........@.. ...............................5....`.................................M...N....@..................0)...`......H-..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B........................H........ ..x...................P ........................................"...;..%..;.......L.Q.^2~.m.o/6...."....8.jQ.>.fn..*....b...>.?+.J.[...p{.+.So...z..f...0..T....>V.Z.ug.9..4.....;\...)BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3................................"...........................W.a...............=.............Q.........R.......................9.....k.....m...................A.....

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):17192
                                                                                                                                                                                                                                      Entropy (8bit):6.684282851066347
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:LkXP2tNCj8N8LWgMr4BHWGYA6VFHRN7GkELRPR9zjO0jQp:LkXutNCj8N8Po4BlFClxQ9zKhp
                                                                                                                                                                                                                                      MD5:1B4D714283918CC3F29285ADCC30CAEE
                                                                                                                                                                                                                                      SHA1:FE85DD75367C8AB9AA9CD6430C553A18237C1F8C
                                                                                                                                                                                                                                      SHA-256:06CD0BD2011F05F72D0F413489443354D7946A33F6B78B1DFDC939A8F9080696
                                                                                                                                                                                                                                      SHA-512:314EAA273347B7A28DEACB78E25D6495090E8DC5594C3CF443DE7D5EB748014B37EA19BA36543FCCC7FA6CCB1C259E33AAF662B05AF3F824B8717E67E555884E
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0............../... ...@....... ...................................`.................................y/..O....@..................()...`..........T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................./......H.......P ..............................................................BSJB............v4.0.30319......l...d...#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................~...<.~.....S...........Z...a.;...{.;.........#.;.....;...0.;.....;.....;.....;.....;.................3.....3.....3...).3...1.3...9.3...A.3...I.3...Q.3...Y.3...a.3...i.3...q.3...y.3.......:.....C.....b...#.k...+.....+.....3.....;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):43816
                                                                                                                                                                                                                                      Entropy (8bit):5.851306072446327
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:2+1fsSED2vCeDQvRzXB3gWql6375IVxedktN7xPBhwsR/JG39QRoNvsh2JcfoDLu:KB/LuYdy50b4b7RSHTSkingzIh
                                                                                                                                                                                                                                      MD5:DAC7D72763E59A64C0D706325B747D92
                                                                                                                                                                                                                                      SHA1:5890F0EE30B86E01AB55D6017261554D16F6C916
                                                                                                                                                                                                                                      SHA-256:9C506C9347F872C3375255F744DCF83B71A96FF71CBF4A19B39873FA22F73C22
                                                                                                                                                                                                                                      SHA-512:4218CA96D6D2D4E24E3B6A70A87890A9035156D522D217F48999870F644548A7BC5C09B78B23DE41C5974C375F9D03ED49054A173B4230AE835FF808469CE50A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"!..0..x.............. ........@.. ...............................y....`.....................................V.......X...............()..............T............................................ ............... ..H............text....w... ...x.................. ..`.rsrc...X............z..............@..@.reloc..............................@..B.......................H........ ...u..................P ........................................!..d.?..:9.S...J.!j.op<.\.M...=...hQ.Y.5.../...Un].......)<..E....H..Ltf.'..*......R.....b.~.. t!...]....?..F.4.RBSJB............v4.0.30319......`....2..#~...2..T@..#Strings....<s......#GUID...Ls......#Blob......................3................................{......#...........6..`..6....m6..(7....4.. .....%.....%....m#.....6...!.6..&..%.....%.....%..s..%.....%.....%.....%.....6..........

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.AccessControl.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):231696
                                                                                                                                                                                                                                      Entropy (8bit):6.491225217557608
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:7XHFwjow9j0rKu8bmb3KD/L8V8/6Xe9QF+wVkjoxFwGzXGA/+PXuPXpP:hwjow9A4bmrA/mtFdWfuPh
                                                                                                                                                                                                                                      MD5:AEC18CE525B03B3359FBC19E00D6FDED
                                                                                                                                                                                                                                      SHA1:F69D5504D3A4107B43E743FB714B2EE8C340178A
                                                                                                                                                                                                                                      SHA-256:DE77B6A860B6D1E9DBB6E260EF352AA9981A4A76C18A3BD144A6F8F041BBCF64
                                                                                                                                                                                                                                      SHA-512:0D7BC1B94563186D36276E57FAB09D85F1269BBA230331077F61C8E96F53A0F97B99AFA6E6859C8A0F378C2B44979B2098C3841FF639B134041459C69FCE985D
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....}............" .........@...............................................`......-.....`...@......@............... .......................................V..t....`...)...P..H...X ..p...............................................................H............text...S........................... ..`.data....$... ...0... ..............@....reloc..H....P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Claims.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):100632
                                                                                                                                                                                                                                      Entropy (8bit):5.968533454375661
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:mt2q/as3w2pm4X+bX5SdluDQu6O/UZxOQwQ7rzUU3q2bP64LrSjYFFQWEzwC:mMU3LpmG+bJS7uP+pXSsFKvT
                                                                                                                                                                                                                                      MD5:31E935263D51F39C224E403BD5D7CC00
                                                                                                                                                                                                                                      SHA1:8AF5EFBC150D8F944ADF84F89BFD9C11D00183E1
                                                                                                                                                                                                                                      SHA-256:9AEDEB23632F45084722906CED314074FB14E08478545A221AB6476FEBBAFF0B
                                                                                                                                                                                                                                      SHA-512:6B95226C760DE73C85A4A9ED972C1F51F14B50087BCCAC290A31813FF3F6F882F7B5C7EE21352F504ADCB7324214827D32BF9FE1DC34447520D97A7C12758D1A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...m............" .....0... ...............................................`............`...@......@............... ......................................x+.......`...)...P..8...H...p...............................................................H............text....#.......0.................. ..`.data...{....@.......@..............@....reloc..8....P.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Algorithms.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):17680
                                                                                                                                                                                                                                      Entropy (8bit):6.616772216364839
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:nXqqGWqkBWxYA6VFHRN71aEpcR9z0B7i7:XVFoFCl1aEpw9za6
                                                                                                                                                                                                                                      MD5:3E2C2FBEF86A88B2BF2FD8B177FD6D0A
                                                                                                                                                                                                                                      SHA1:3B2B791ADBF69F9A37597B80FBA9E9932E49A6BD
                                                                                                                                                                                                                                      SHA-256:A28C5AD8CFC585C3D225B07AC28C359EACE65765EAA306FF44D7A6511262792D
                                                                                                                                                                                                                                      SHA-512:6671151577CC961CE2C016543EE78C6197ED5BA9ACBAD855641AF5F661BB0BB4A5253E9E7BB5AE52253ED451F90818289826C242659ECCE405C25F1B0092C83D
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....A..........." ..0.............V0... ...@....... ....................................`..................................0..O....@...................)...`..........T............................................ ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................70......H.......P ..$...................t.......................................BSJB............v4.0.30319......l.......#~..t.......#Strings....|.......#US.........#GUID...........#Blob......................3................................>...........................?.....6.....j.....%.d.....d...U.M...k.d...:.d.....d.....d.....d...!.d...S.d.....H...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Cng.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16664
                                                                                                                                                                                                                                      Entropy (8bit):6.725385029818809
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:GvVnAxNaH3xA+Dr+jWx2fWRFWxNzx95jmHnhWgN7agW3GByMyttuX01k9z3Al6td:mbHh7KjWx2fWoX6HRN7W2cSR9zi6tL5
                                                                                                                                                                                                                                      MD5:B00B172EC15D23D3BED84FCFA40D59D2
                                                                                                                                                                                                                                      SHA1:2B98143649573E5DF30EE989D46D1DE956BDFC4F
                                                                                                                                                                                                                                      SHA-256:A589AC8A9E90BA4F3E96CEC8B360B894DAB5FBDEF0004EF428258A9DC28D309B
                                                                                                                                                                                                                                      SHA-512:3822F4DC24FF40893470D15E05E4E54933D19350227CF07696231A8C7EAF955AC4B303C075FED0AE2AB6C25BF790F889178C06F340F2D22BFA342231EEE6E5F9
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..........." ..0..............,... ...@....... ....................................`..................................,..O....@...................)...`.......+..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ...................... +......................................BSJB............v4.0.30319......l...<...#~..........#Strings....0.......#US.4.......#GUID...D.......#Blob......................3......................................d.........J.!.....!.........A.......J...n.....,.........................................j.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Csp.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16152
                                                                                                                                                                                                                                      Entropy (8bit):6.795290241765418
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:sSbUikV/AvcaTAFCA3xAiHIRWLgtWhW+WxNzx95jmHnhWgN7acWVxwVIX01k9z3G:RbUlhfIRWLgtWwFX6HRN7eR9zEOrc+E
                                                                                                                                                                                                                                      MD5:E593AE76E4CFAC375120915947952FF6
                                                                                                                                                                                                                                      SHA1:8015474D50021C65A65867636086E4A8A3A6F347
                                                                                                                                                                                                                                      SHA-256:5DA38D4A9EB67C2EF23B416A505E0FDB2A22FD5FE45D241645B37B5B5F0BCCE8
                                                                                                                                                                                                                                      SHA-512:43C7368A394B119839BAC8FC2B0F9213307C84F297CE480C0BFA3DF6300F3AA7B55E64E789D1EF619E88364387CB11D2228015D3A2CC8338596348D7B2772A0D
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...6J............" ..0..............+... ...@....... ..............................".....`.................................}+..O....@...................)...`......|*..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P .......................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID... .......#Blob......................3......................................................x.....3.n.........^.................I....._.................w.................G...................h.....h.....h...).h...1.h...9.h...A.h...I.h...Q.h...Y.h...a.h...i.h...q.h...y.h.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Encoding.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16160
                                                                                                                                                                                                                                      Entropy (8bit):6.7458016577263
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:szoXpW5ZWWLhX6HRN7SmO/7R9zj2INRSX:szoXGDpWfOF9z6b
                                                                                                                                                                                                                                      MD5:FA0C6A5EBA91D8A8B17232345900DD2D
                                                                                                                                                                                                                                      SHA1:75AE67259791C5D4F580A9D2E0E7A892CB3B0902
                                                                                                                                                                                                                                      SHA-256:AA82B36AF87D73B54AB0F0E5EFD9FDB16AAA6D3F385F238364ACD36E482999F6
                                                                                                                                                                                                                                      SHA-512:8A76EF22006A7D4D3DF580CE00D310574251A91E942400E39637B57840EFE8386E51E27C92839E63038397CC900EFF43FEFD68A6E8820FF0C03CAB924F7DF812
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z............." ..0..............*... ...@....... ...............................w....`.................................s*..O....@.................. )...`......h)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...L...#~......<...#Strings............#US.........#GUID...........#Blob......................3................................................ ...........^.................D.d.....d...t.7.....d...Y.d.....d.....d.....d...@.d...r.d.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.OpenSsl.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15624
                                                                                                                                                                                                                                      Entropy (8bit):6.84073937768766
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:sygdxAWK9WAm5ijRW8ZpWjA6Kr4PFHnhWgN7acWLmFGyttuX01k9z3Al6tLw737I:ca9WAm5ijRW8ZYA6VFHRN73SR9zi6tLr
                                                                                                                                                                                                                                      MD5:09D34FE80AF19BF5B77BBEFCC01F6E6F
                                                                                                                                                                                                                                      SHA1:0A4FC9635C6710682C6D7FE32F91DC28C29ED7BC
                                                                                                                                                                                                                                      SHA-256:F644B4FA91D1BDC0596F390C99A123C206D0115FDD18CE778A23254066F46270
                                                                                                                                                                                                                                      SHA-512:E8131DB3070617A09955EFC7D267B2687A6FCFB7BD061FE027B54721C461E4D7119A0E80DD346865D187BE548001064A900479E99922835D90EC1222659D3DEF
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r..........." ..0..............)... ...@....... ...............................U....`..................................)..O....@...................)...`.......(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~..X.......#Strings.... .......#US.$.......#GUID...4.......#Blob......................3..................................................|.....|...E.i.........p.....+.Q.....Q...[.J...q.Q...@.Q.....Q.....Q.....Q...'.Q...Y.Q.................c.....c.....c...).c...1.c...9.c...A.c...I.c...Q.c...Y.c...a.c...i.c...q.c...y.c.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Primitives.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16136
                                                                                                                                                                                                                                      Entropy (8bit):6.783350992582665
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:IJ6y3F1cxAKh7jWI+3WepWjA6Kr4PFHnhWgN7acWWPVs8RwX01k9z3AzBhJ:pW7KLWI+3WeYA6VFHRN7Re9R9z6HJ
                                                                                                                                                                                                                                      MD5:67BD5079FEA8657220315ED9B2DBAF97
                                                                                                                                                                                                                                      SHA1:63F0A66127FEF3021E2B64B53758FF202C3318FD
                                                                                                                                                                                                                                      SHA-256:13BC715968175667FEC2E02B13300F5DE2A867B754B79439D2633FF3F9240560
                                                                                                                                                                                                                                      SHA-512:05B77B8A04F623F79E91D3381FFBABE7865089EFEFBEB29CDB016856C80D2CDEEB72473872D237B9A23F937CEE82021165BFF05E51065C4F8DE71B5B273A6EA7
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{x..........." ..0.............z+... ...@....... ..............................9.....`.................................'+..O....@...................)...`.......*..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................[+......H.......P ..H....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................................4...........r.................X.............(.........m.......................T.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.X509Certificates.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):17184
                                                                                                                                                                                                                                      Entropy (8bit):6.739673851144617
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:kw7H2ocvxA4fjxWemfWkqWxNzx95jmHnhWgN7agWMVkCY00pyEuX01k9z3Aly+E2:DH2ocZpWemfWk5X6HRN7LVVEpcR9z0Bv
                                                                                                                                                                                                                                      MD5:3CC8CAEBB57D05D1909F39A6D647B901
                                                                                                                                                                                                                                      SHA1:29F8797E4DD7F5BCD863FFBB7888029BD363361B
                                                                                                                                                                                                                                      SHA-256:5826E377C017BB5C872E173DB728BB38FF072D1E0FB26B8E19B9ECA088752918
                                                                                                                                                                                                                                      SHA-512:927D96034350439D2DE069018158A2A9F2C9BDEA8520AA09B3232ABD2C2283B41EEBD2A661A46333D4F95339B5191FC72F6F192FE7C6C6C4428BAD5661CC76C7
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K............." ..0............../... ...@....... ....................................`.................................s/..O....@..H............... )...`......X...T............................................ ............... ..H............text........ ...................... ..`.rsrc...H....@......................@..@.reloc.......`......................@..B................./......H.......P .......................-......................................BSJB............v4.0.30319......l.......#~......T...#Strings............#US.........#GUID...........#Blob......................3................................-.....r...............'...................X.....k.....k...........k.....k...i.k...&.k...C.k.....k.....k.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2050328
                                                                                                                                                                                                                                      Entropy (8bit):6.67414937170935
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:49152:edeK2ZryEXV6VZMxfVRVgmJE2Jjd6ECxObm8w3b41R:edeFfxfxgeu41R
                                                                                                                                                                                                                                      MD5:18921E60094E6EEB74476CA10F785368
                                                                                                                                                                                                                                      SHA1:CA39FBBF0481B521F289C189892CD4BDC6D2D09C
                                                                                                                                                                                                                                      SHA-256:028606C9C16ACDE6BC7874809E2417FE6FD7BA94D3DCFD04CFCE5A4C21F16FF4
                                                                                                                                                                                                                                      SHA-512:0BC5B20C232E9F13EC372FA6BE23DE495D9EE0FDBB577C104EBCDA0EE349F9282A68B3C88997337EC2ABF0DAC01885143BC9188B3308CAC5C1263112CDF8495F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..............." .....`................................................... ...........`...@......@............... ..........................................d.... ...)..........P...p...............................................................H............text....V.......`.................. ..`.data.......p.......p..............@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Principal.Windows.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):186640
                                                                                                                                                                                                                                      Entropy (8bit):6.420537455369693
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:72kZDNC/sCTyRdtl63xJYrwkpDCRi1CSB2TOK1BguZbKXm:7U/sC6Ll67YrLpDCR4B2rPjxK2
                                                                                                                                                                                                                                      MD5:7C560E02F8DFD723471F71CB71C0CCAA
                                                                                                                                                                                                                                      SHA1:C1EA98009AEA6C3B12E078965CA3472E44EDA305
                                                                                                                                                                                                                                      SHA-256:59815FEAB7B47ABF6E7D4231A7081452B256704A3834C6A927A9E74C03897B9F
                                                                                                                                                                                                                                      SHA-512:32120BCF4D3E5C7A5AE676688FA8F0102C752E059C5EAF8987B37EAF3436C6892F9D1E7B3C531DB808E1E554316E24ABB0E3848705517833309954EBD537B037
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....`...@......................................................g.....`...@......@............... .......................................N...........)..........p...p...............................................................H............text....T.......`.................. ..`.data....&...p...0...p..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Principal.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15656
                                                                                                                                                                                                                                      Entropy (8bit):6.8053996554852345
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:CB0LZxAyk4jWVUmfW2fpWjA6Kr4PFHnhWgN7aIW5agiZTOebR5X01k9z3AZZNFrg:zLD+uWimfWcYA6VFHRN7b9bt5R9zExr
                                                                                                                                                                                                                                      MD5:C9285D5497F2850234F48A0CF5619C0F
                                                                                                                                                                                                                                      SHA1:1B3AEAF0C40E401C1A2B4C19EAD12314B5782DDF
                                                                                                                                                                                                                                      SHA-256:902D836B8CB066DC2279E4DE0979B5A380BDCCCCFA69634BA51111CAC2BE2F44
                                                                                                                                                                                                                                      SHA-512:5EE72864A21C23B1AF540DAD95D67348837467A3CE19478B02223EE220441E40388B97C8E1110452F32EC2FB04BB63B649E49860153B5B1DF3F4D37D1C37866B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J. ..........." ..0.............j)... ...@....... ....................................`..................................)..O....@..................()...`......$(..T............................................ ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................K)......H.......P ..T....................'......................................BSJB............v4.0.30319......l.......#~..4.......#Strings............#US.........#GUID...........#Blob......................3..................................................=...x.=...3.*...].....^.................I....._.................w.................G...................$.....$.....$...).$...1.$...9.$...A.$...I.$...Q.$...Y.$...a.$...i.$...q.$...y.$.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.SecureString.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15664
                                                                                                                                                                                                                                      Entropy (8bit):6.831153527632702
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:XMBPxo2xAjD/W1O3Ww81WxNzx95jmHnhWgN7aIWbTmAg7iDtagQ5X01k9z3ADqng:El6/W1O3WwpX6HRN7lriDtdQ5R9zaqcx
                                                                                                                                                                                                                                      MD5:8CC719E1BA62CA6F7BAED90FDE41BF8A
                                                                                                                                                                                                                                      SHA1:6F28D219D46E0A87658E0C46C5DABEFAE795F121
                                                                                                                                                                                                                                      SHA-256:1AF90D82A617AFB3BCCFEEA39B6D18CFD3A7C93CC80C8B75DBFF0FD2E75E7BD8
                                                                                                                                                                                                                                      SHA-512:E693831E7C4DE5BF2BF955A64D27B84F9ACABDC2BC6D7F150C582CE05E430C36BF48B22680E9A9831AE73A0615FD522576C22DD015CDE7D629413E200E5F138C
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y6..........." ..0..............)... ...@....... ..............................QU....`..................................)..O....@..................0)...`.......(..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~..D.......#Strings............#US.........#GUID...$.......#Blob......................3............................................................3.Z.........^.......B.....B...n.;.....m.....m.....B...S.B.....B...w.B.....B...:.B...G.B.................T.....T.....T...).T...1.T...9.T...A.T...Q.T. .Y.T...a.T...i.T...q.T...y.T.....T.....T.......................#.....+.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):18712
                                                                                                                                                                                                                                      Entropy (8bit):6.530599284978063
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:jIhDM3WsKDWYX6HRN71nRxB+R9zpj5g9Z:jIh4iPW1nRxw9z15sZ
                                                                                                                                                                                                                                      MD5:0E43639AE0E98F9148C913477276A391
                                                                                                                                                                                                                                      SHA1:507E7B61569746ED20B920BCAD7D5C803D1E7736
                                                                                                                                                                                                                                      SHA-256:C0F486C4FC818613DFC50485F7201B5A59A79851C3CCAB2FD75EDAB2456C33C4
                                                                                                                                                                                                                                      SHA-512:1340334B451CC8F81D4FF525F5EE47988E3339921A8891CB5B0026E32669FCC0363D560478C05A81A7AAE4C81CE018CBD0DD6510DE94DED13B0892CF0EB424D7
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...OZ............" ..0..............4... ...@....... ..............................+y....`..................................3..O....@..X............ ...)...`.......2..T............................................ ............... ..H............text........ ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B.................3......H.......P ......................P2......................................BSJB............v4.0.30319......l...H...#~..........#Strings....h.......#US.l.......#GUID...|.......#Blob......................3................................O.....................0...........3.......x..... ..... ........... ..... ...r. ..... ...*. ..... ..... .................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.C...+.Y...3.o...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ServiceModel.Web.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):17176
                                                                                                                                                                                                                                      Entropy (8bit):6.64645995156569
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:y3nspYI7GWGlM5W6WqWxNzx95jmHnhWgN7acWUlM/wKUWX01k9z3A/ylK:ptGWyM5W/5X6HRN712R9zUoK
                                                                                                                                                                                                                                      MD5:E6CEF184273D2FE35362FF4E5D866FF7
                                                                                                                                                                                                                                      SHA1:F6A57545875E5B8E1C8C05C0040BE9EA78207E3E
                                                                                                                                                                                                                                      SHA-256:3D08EB5338C0C588C1ABD53FE726BAE0607E0B50312F0079B678E3759FA1ABBF
                                                                                                                                                                                                                                      SHA-512:83D7671DC0B7E99068C8F322B1A81B090B54379EBEE2F9D6FED4104A138BDA4202EB92394B003134B73B9A2317A6592AD304C1435C7EBE5DA1953B1761130477
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....1..........." ..0.................. ...@....... ..............................i(....`.................................7...O....@...................)...`......H-..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................k.......H.......P ..x....................,......................................BSJB............v4.0.30319......l.......#~..8.......#Strings............#US.........#GUID...........#Blob......................3................................&.....................?.................%.].....................&.................>.....[...................{...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.C...+.Y...3.o...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ServiceProcess.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16168
                                                                                                                                                                                                                                      Entropy (8bit):6.754179132368782
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:9NNuGxAo1BpWnielpFWYilpWjA6Kr4PFHnhWgN7aIWjvkYHnsTX01k9z3A1WdS:NHHpWnielpFWpYA6VFHRN7BYMTR9zUS
                                                                                                                                                                                                                                      MD5:E5C676801CA76BCBF074E99710503F02
                                                                                                                                                                                                                                      SHA1:63C05E75C9862CFEE2B26FCA0BE3F1FB4C37E175
                                                                                                                                                                                                                                      SHA-256:634A5D94940A58BC90AFC5DFC90839359B0A9B2F7E0D7F12CDDA3281DF96418F
                                                                                                                                                                                                                                      SHA-512:4CFB1A78F5698345174BBA119D51E48BC85A8381D8174231A7A2DD65C0281E726E34260B5EA5D1AD71DF5580070D4B4017CA4D3D9CF0592CA25600EE58FFD328
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`..........." ..0..............+... ...@....... ...............................&....`.................................?+..O....@..................()...`......T*..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................s+......H.......P .......................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3......................................!.........f...........\.....:...........B.^...H.^.....;.....^.....^...+.^.....^.....^.....^...p.^.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.C...+.Y...3.o...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.Encoding.CodePages.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):862512
                                                                                                                                                                                                                                      Entropy (8bit):7.457167201577773
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:pf7xn7kZQ6kliVreJIHHr0tRYbKr2KtG9VKABC6rPSYBKgTWeybo:pD9km6k/IwRYbiBeKGCBYTyhs
                                                                                                                                                                                                                                      MD5:ECB1B379B3BCB01ACB12FAEEDFC5D01E
                                                                                                                                                                                                                                      SHA1:69BBEA3B222FF7566FA746572022F77F81122AF7
                                                                                                                                                                                                                                      SHA-256:85F3296C927E27E28461F6325A05504C0AEA8B93CA79691542E2A9E9AF92D3C9
                                                                                                                                                                                                                                      SHA-512:CC3E2AF695AF5AF4CCFDD981B15175A2525EAEBEB9BCB87C094E23FB156C7A50651B6600961741A0CCB1F7ACF2D38394F5395A846736371CAA6A1FD21FB1643F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...3l............" .........@......................................................g.....`...@......@............... .......................................B..p.......0)......<...8...p...............................................................H............text............................... ..`.data...`!.......0..................@....reloc..<...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.Encoding.Extensions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16160
                                                                                                                                                                                                                                      Entropy (8bit):6.7352349940283025
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:h7mXhp/SxgZW6sJWDWWxNzx95jmHnhWgN7agWP3zzccADB6ZX01k9z3AqRrimR:h6xiUW6sJWDdX6HRN7azzccTR9zlRrT
                                                                                                                                                                                                                                      MD5:7B3BDED48604BACF38173A19CB38F269
                                                                                                                                                                                                                                      SHA1:9D15D2AD99F7437C9AE1775898C739712F8E5F93
                                                                                                                                                                                                                                      SHA-256:A875D0785CAE18EE30DB531303C166BA1A1D30C0CA4AB8EDD38FE04056F91EAA
                                                                                                                                                                                                                                      SHA-512:A34CAD7DC195B6C5B8A5C89E3A93083B1D401B5F772807524CEDE69210B04BF8FE746D9925C2FDB18B8D0F7636CFDFE48CF26FB0095500739CDC48E141BF344A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0.............^*... ........@.. ....................................`..................................*..X....@.................. )...`.......)..T............................................ ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@*......H........ ..0...................P .......................................:...f.r....j..:..........u.z..n...7..&.....:..75o.=n..j~~.Qe..S..H....B.u.:..S.......Jw..........."U.I".$.1.........J/D.\BSJB............v4.0.30319......`.......#~..`... ...#Strings............#GUID...........#Blob......................3......................................O........."...........;...........f.!...!.z.....z.....s.........;.......z...[.z.....z.....z.....z...B.z...O.z...v.............

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.Encoding.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16152
                                                                                                                                                                                                                                      Entropy (8bit):6.725439980411438
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:vzLJxAKpjWfgNWeWQWxNzx95jmHnhWgN7acWGPh3PMx6RMySX01k9z3AcyxaNIP:jJWfgNWzPX6HRN7PP9LMR9zPyyw
                                                                                                                                                                                                                                      MD5:A16009A8EEBE01B264F1BD291D51DAFA
                                                                                                                                                                                                                                      SHA1:7B4646DF65B243BBF2134594B08082F7CFE8F4A1
                                                                                                                                                                                                                                      SHA-256:5F1FAA88187672DC240B18D4199BB8040BBE8F3F7EEC939DEC5ABB1407137D22
                                                                                                                                                                                                                                      SHA-512:8EE0BDDA4F5BCDEB139C0D225E10385DA131808E7279EBBF2ED81CED81797A4E9118FCBCBAE46C07545D0B9D5C0527B81FE63E8543FDDC55125560518E676B9F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ql............" ..0..............*... ...@....... ....................................`.................................a*..O....@...................)...`......x)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...T...#~......T...#Strings............#US.........#GUID...(.......#Blob......................3......................................M...............x.....3.....7.....^.......m.....m...I.f..._.m.....m.....m...w.m.....m.....m...G.m.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.Encodings.Web.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):133416
                                                                                                                                                                                                                                      Entropy (8bit):6.122557067980221
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:2bTDQlE37ykm3E5T+zpq5D3lhjdPTp8K76+d05HzdyRNX3Mpm4+SqUTiSc9zt:2bTDQlZx3E16qvZ5N77uLINnMkSqUT4R
                                                                                                                                                                                                                                      MD5:3AD11258AF678B2C75F0010EF78BC7EF
                                                                                                                                                                                                                                      SHA1:68B5984401243F1071D73EB0E3F021E043A17EB1
                                                                                                                                                                                                                                      SHA-256:CF456FA426BEF36E8ED5D71A3FAE3EFAD06F5425A53BDEEF427124DA42409D09
                                                                                                                                                                                                                                      SHA-512:A2D904B99F4935648C7471569DD4FF81BD89A9AC1BB7931390BD3872E691B3B58BCEDB48961E2AAA3AA8C04227887D2A1CBAD6B41C416AFDDFD002044C3104C6
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....v@..........." ......... ............................................................`...@......@............... .......................................-..X.......()..........(...p...............................................................H............text.............................. ..`.data...}...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1501464
                                                                                                                                                                                                                                      Entropy (8bit):6.712609643579495
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24576:8tH4NwClgTsJL6Tb/DrtY5uR5K91CSVcgtl3yM8cVUgHTHLP4:OHlTs4rDrtj5o1N8ca
                                                                                                                                                                                                                                      MD5:07C161588790210444DC12F77D7CE1A9
                                                                                                                                                                                                                                      SHA1:0F2E4407C0A4F25759A94488646B626DEA7D8785
                                                                                                                                                                                                                                      SHA-256:93B1E1E677045AF7AAF17A9BFA9EA81D944E0918A94EB3492B78B22948550D47
                                                                                                                                                                                                                                      SHA-512:7AF614FEC989F5AF4C5A8B6787109CEBB98DB23783C4CBBCA22847DB8A84C515FDD87978CE96DD42D2D1B48E2F27BFAEEC8456C422923C6DDF35FDA3F4C574C4
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....w............" .....0..........................................................Y.....`...@......@............... ..................................................)...........R..p...............................................................H............text...F........0.................. ..`.data....R...@...`...@..............@....reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Text.RegularExpressions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1022264
                                                                                                                                                                                                                                      Entropy (8bit):6.8216381706865095
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24576:zx/dsuQ+B/b44HO2inDiv67tAEehjqnQf8:dQEb44HKivIehjyn
                                                                                                                                                                                                                                      MD5:D02946E47FC19B1C831A811808342B75
                                                                                                                                                                                                                                      SHA1:55739760E02BAFDA656149D052EEF444E68FDD90
                                                                                                                                                                                                                                      SHA-256:0FECFAC9BDD40C258F720FAC301E3722EA9FC245119E43DD30D181A9B1072DBF
                                                                                                                                                                                                                                      SHA-512:74FBB915D948C26F91D6295539A119C9E2B5B0C9877CAAECD0AD02F06EEA26B85AA2BF05CFF12A00098508859CC039A21D3D8AD10E04E1A969D280CCE2323290
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....U..........." .........P...............................................p......cj....`...@......@............... ...........................................G...p..8)...P......p...p...............................................................H............text............................... ..`.data....)... ...0... ..............@....reloc.......P... ...P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Channels.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):133408
                                                                                                                                                                                                                                      Entropy (8bit):6.278452778470254
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:1T3t+/kXS+F3g2vlsEjd+fzs6Fls5JQzWoioIR3cBPdzyWBTzAp:1T3tYkCQQQmEjd+ZFl26zri9r2TUp
                                                                                                                                                                                                                                      MD5:03A17E0F4DA9EB9C6EBB6E10CA241757
                                                                                                                                                                                                                                      SHA1:612D03F4162282670D7276836B319F201DFACBD3
                                                                                                                                                                                                                                      SHA-256:985DF4C7AC42C3447490BEC7653F111E137A88AC633BDAB6D0FDFAD23CB22095
                                                                                                                                                                                                                                      SHA-512:39C1E597B35524E881902DC6F8946466EBAEFF404433A813DF7221DB316D3E1886A274065CF127740B31AD370F76D7C66B1FE7B965AD50482A0D624365922912
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...|.$..........." .........@......................................................_.....`...@......@............... ......................................L7.......... )..............p...............................................................H............text.............................. ..`.data....#.......0..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Overlapped.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16144
                                                                                                                                                                                                                                      Entropy (8bit):6.739782129844139
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:ZHYCHLcH4H8HUWcuHWIYA6VFHRN7G/7R9zj2IUH+:LWTFClGF9z6S
                                                                                                                                                                                                                                      MD5:B27644E15572E13CAB812C2031D76610
                                                                                                                                                                                                                                      SHA1:CD2D27ECBB2E4D703CF2C253C6575CE1B53F3F24
                                                                                                                                                                                                                                      SHA-256:00EE20495CD0531670CC761FF6B29A0230CF7C8FE607FCAD79567C5D1D01FF57
                                                                                                                                                                                                                                      SHA-512:EFE0493109B04FAF580A745EC7FB120F0688C2E374F9447D06BFA742F2257E69E0E1544C3393AAE4EDB13B986396F20E90C2B32F480A75753FB8BC8E8500C8BD
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....~............"!..0..............*... ........@.. ...................................`.................................;*..P....@...................)...`......@)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p*......H........ ..p...................P ......................................k...O..`.:b.v.$.]..],vO.#0.l...B^.....]C....%].%.../...H......._...f.9{...qFid..,>l.....S\.8..cQ.n....xV$....{.]..6.s.\. sj...BSJB............v4.0.30319......`.......#~..p...H...#Strings............#GUID...........#Blob......................3......................................................4...........7.......c...{.....V.............c...t.....}.................9.....................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Tasks.Dataflow.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):489736
                                                                                                                                                                                                                                      Entropy (8bit):6.715658217779917
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:x//X6hS+34BkQb8tA7nPgNKMpFI6bB5v30xhZWX9gL+i:xr+I0urMvR5vExhoX9gL+i
                                                                                                                                                                                                                                      MD5:3356784EF4FE8C2678C85D417848A48E
                                                                                                                                                                                                                                      SHA1:89E60DFB18514CA65A9606B93B7D2BA7B4BCA5FF
                                                                                                                                                                                                                                      SHA-256:FB97F3ACD266AE1F0D25BD4CB77818AE1D154FEA3B46F2C1A3ED1EDB842F46C9
                                                                                                                                                                                                                                      SHA-512:1C3AD7582BD3F5B77019D931EFEBBB3E79960AEF51D9624E00E183783E6F55CA2CA5BD09CF49B924C1970E10A92261230A14420D85694E04EC46F9A7DFE2107F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...]y............" .........................................................P.......i....`...@......@............... ..................................l......,1...P...)...@......h"..p...........................................................p...H............text...2|.......................... ..`.data...M...........................@....reloc.......@.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Tasks.Extensions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16168
                                                                                                                                                                                                                                      Entropy (8bit):6.769727575357376
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:SCVm05B091ncmJQ8fxGWSOXW5YA6VFHRN7l9WoJR9zgy:1VpM6urmFCl/R9zH
                                                                                                                                                                                                                                      MD5:740A782D6B359CF77C9E7A1ADAB24F77
                                                                                                                                                                                                                                      SHA1:8695E898EDFF87BA40B0D9A9C8CDB901A0C3C195
                                                                                                                                                                                                                                      SHA-256:B1DC1408C74380CB9F02D9B9BB3B550770B98E27D377E60F216C4B14D602356A
                                                                                                                                                                                                                                      SHA-512:31759B0AFE7EE71BE2DBC56C7273B9B125B9AC298B644ECCC60AAC7BFA1436BC72508C65D95353DCF944A49434BCE02C88D43B2A1E4253666C7F80FE741689EB
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............V+... ...@....... ....................................`..................................+..O....@..................()...`.......*..T............................................ ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................7+......H.......P ..0....................)......................................BSJB............v4.0.30319......l...d...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................s...............1...........A.......O.................................W...........1...................p...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Tasks.Parallel.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):133424
                                                                                                                                                                                                                                      Entropy (8bit):6.345631677255552
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:hgookDn4z7gSCyhdrhYnS+5atmkg9nE3rVo9kQXL:xTEw3yhVh/h3rVoOQb
                                                                                                                                                                                                                                      MD5:E4248B0D435DD54DE832467B13489FAB
                                                                                                                                                                                                                                      SHA1:32F6B603442302F627BC5DABFCDB5AAAAD44281F
                                                                                                                                                                                                                                      SHA-256:43D450BB7B0D440ED0D7F9A933E68E69CC0E2591B5B4D6B81C682EB7DCE85548
                                                                                                                                                                                                                                      SHA-512:27A095A634F88193DA5B3507363B753B1008674789EA50C66E582CED633D48D6EC1042FE7BECDF65085E29F5BE979E9EF5BB7AA930E14DB21BD4C903AA94C575
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....#E..........." .........@............................................................`...@......@............... ......................................<4..........0)..........H...p...............................................................H............text............................... ..`.data....$.......0..................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Tasks.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):17176
                                                                                                                                                                                                                                      Entropy (8bit):6.623536186140361
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:laf4fk3CBFoq19k9WHazWbIX6HRN7NejA2IR9zJNml:laf4BLonjWNgU9z76
                                                                                                                                                                                                                                      MD5:4B0EBBC7AB26C4FA2712DC1D7A9A430E
                                                                                                                                                                                                                                      SHA1:7E4872B4C2DA8CD8C39421EECCFEDB644F7F5882
                                                                                                                                                                                                                                      SHA-256:71F1B7847ED8C9DF6DB99ED7B756E4B846FEC646D8A8033C16A3945378AFC964
                                                                                                                                                                                                                                      SHA-512:339EEC43B703566A3094718FF28066E2A6011C3DCBAABCB3C7079CBF466D88F91702FB6BD8342DF08046854B6AC0B37A756A4AE7AEF20FD9A2C5D63477B73674
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ...@....... ....................................`..................................-..O....@...................)...`.......,..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P ......................@,......................................BSJB............v4.0.30319......l.......#~......H...#Strings....X.......#US.\.......#GUID...l.......#Blob......................3................................&.................o...w.o...2.\.........].................H.....^.....-...........v.................F...................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V...y.V.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Thread.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16184
                                                                                                                                                                                                                                      Entropy (8bit):6.77418439872863
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:u4z2EI0W8tWcC7WGkX6HRN7cN8KER9zlZ:uOQvEWcN8R9zf
                                                                                                                                                                                                                                      MD5:00FE534A33B1F18DD900DF89E17F73DE
                                                                                                                                                                                                                                      SHA1:0792678A143E8ABDD57837D4B67D187B74570835
                                                                                                                                                                                                                                      SHA-256:ECBE1CDE0DE93B08489005DE9B2BA627725DC55646735DCF0F027E0E1FCE6F6C
                                                                                                                                                                                                                                      SHA-512:5AD071C4574453FE242344696DB8D132386CB05398C241F003C5643CC843C354288BB2C9A91BB6E0B8DB3E126B747C34BFBD01B51255C82DC6C237B86686E73A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0.............^+... ........@.. ....................................`..................................+..P....@..................8)...`.......*..T............................................ ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@+......H........ ..H...................P ......................................."r_....e6...@i..$...{.A;...;a.s7......i..>...b.Hg.u[..........4..$^..w..N......^...L>+..........%..&9y.;.. .T.9.........[BSJB............v4.0.30319......`...|...#~..........#Strings............#GUID...........#Blob......................3......................................].........U.@.....@...n.....`...........T.............y...0.!...9.!.................................u.............@...........

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.ThreadPool.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16152
                                                                                                                                                                                                                                      Entropy (8bit):6.729725204835813
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:12ctmTqd92QxcNauUWEmvWGWYWxNzx95jmHnhWgN7acW9vVKDUX01k9z3AyCW6Ey:RtX92OcYuUWEmvW73X6HRN7g9pR9zldK
                                                                                                                                                                                                                                      MD5:C5F1D1ECF20663D3C1BC58887FB02131
                                                                                                                                                                                                                                      SHA1:FF1860873F1CC59E9EE1E95992CDF6BA3B8E30DB
                                                                                                                                                                                                                                      SHA-256:5913E28B4B0E1D9A722C378557FE4AF7DB39E8A5E916ACEF6EAEC9A78F5B4A35
                                                                                                                                                                                                                                      SHA-512:0B000EFC667A85D36793D01456886BEB56BB96D8AE89DE84E5D49B488092AFA272578733DAC2CB147F87E94A60F17DB8E0FD2EA72E868F331A9F07CEB44A85E2
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."!..0.............N*... ........@.. ....................................`..................................)..T....@...................)...`.......(..T............................................ ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0*......H........ ..,...................P ........................................D2.m...)..4...Ya.....B...z...T5.{...g.cH!..........H.K......{...J..K~c*..D..4*h,K[..b...Efd&.y...S..&T..E6[..._.a..O[LBSJB............v4.0.30319......`.......#~..`... ...#Strings............#GUID...........#Blob......................3......................................P.........7...........P...........{.....6...................................p.......................W.....d...................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Timer.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15672
                                                                                                                                                                                                                                      Entropy (8bit):6.780056232573692
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:aeF6QoqNSEMWs1CWEX6HRN7vuc9WR9zBBGj:aUov4WvA9zbK
                                                                                                                                                                                                                                      MD5:0A7251814B8BED94B4446C313D1BD7DD
                                                                                                                                                                                                                                      SHA1:4BFE5154B22D587A69B1F8BB02A745A7CC0F6AFA
                                                                                                                                                                                                                                      SHA-256:4A3352E5C4886501A6953E4C6448E389EA21C098A21638ED188A55C5A0C0E987
                                                                                                                                                                                                                                      SHA-512:22E06FAB674F06A141C1631C483B885EBB8EC48A96C164ED69985E675CC3FEFD71E5BAAC6D29008379CD0B1C6D16928917C2BB1D58A016294C6580DBF93415A9
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R............." ..0.............&)... ...@....... ..............................%Q....`..................................(..O....@..................8)...`.......'..T............................................ ............... ..H............text...,.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................d'......................................BSJB............v4.0.30319......l.......#~......d...#Strings....|.......#US.........#GUID...........#Blob......................3..................................................3...x.3...3. ...S.....^.................I....._.................w.................G...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):84280
                                                                                                                                                                                                                                      Entropy (8bit):5.968460814469461
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:AWgoICPLdImrmODZcUBeZ8j0GEH9wd633GRm3LGgLWz9zu:AWgo9PL6FtZ8j0GEH9wd6GR4GgLaS
                                                                                                                                                                                                                                      MD5:932A0C2978B649703C40B260B1955D26
                                                                                                                                                                                                                                      SHA1:E9A4C055BC14B3A2DB5BC5D0CF838E79838CE8E0
                                                                                                                                                                                                                                      SHA-256:15CC9DB291B87042F1AB4319F8D04F4CD226F15BF88BF0810B31DCD50FB0BB7E
                                                                                                                                                                                                                                      SHA-512:51D6D767425FA1AFA0ACD5A149B99D4C62BAB174ECD7485211E9B9635EB876319E8AD2A96D9A7CEF26BEB855DA3661B26912F05014F6DC22CFFE33306D9988E4
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ......... ............................................... ............`...@......@............... ..................................d....'....... ..8)......T...h...p...........................................................h...H............text............................... ..`.data...............................@....reloc..T...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Transactions.Local.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):661792
                                                                                                                                                                                                                                      Entropy (8bit):6.67434786359905
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:W/JxQHxtiM28JQUegnzVx3C9jB25sx91G0:W/r7wrzqg5L0
                                                                                                                                                                                                                                      MD5:1944601E5186DB41729C8096C8A08BF6
                                                                                                                                                                                                                                      SHA1:DD637874B36356698C54DB5DB565580C2183627E
                                                                                                                                                                                                                                      SHA-256:981215F0EE08D156867FAAFAA17F9D97D409BE691BAB0BD330D5BAB864FA04F3
                                                                                                                                                                                                                                      SHA-512:185C2B7994AD40F31FEFA4DAB46167477D0371850D2B7C62D87DEE8C4F746AC6C6D55CC6BFD85A1294BEC0273E88233D94A9096DDFD791C0A9FA45B938A6D610
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.../5]..........." .....@................................................................`...@......@............... ......................................h...hI...... )...........4..p...............................................................H............text....5.......@.................. ..`.data.......P.......P..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Transactions.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16656
                                                                                                                                                                                                                                      Entropy (8bit):6.711937162453506
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:rw3RC0uWzliWkYA6VFHRN7P4EpcR9z0BHky+:03RC0xoFClP4Epw9zaHkb
                                                                                                                                                                                                                                      MD5:18BA1339DDC5D2FA9B78F7AC1C18624E
                                                                                                                                                                                                                                      SHA1:FEA42F32DF780D9E9B180B149BC051DCC4C2CECA
                                                                                                                                                                                                                                      SHA-256:033AD774B53A4CFF5AE9AD00AD51FB44FB7E34CCE86BB88E077046BBDE82094E
                                                                                                                                                                                                                                      SHA-512:692E2FB1E69480A1D3264ED6666A2F0CAB1E05CDD6EE85DAFD58BF495443094DCC5D94864A2ACA6E7525129DB4F1442C3B80B52FF2C129E06C86DE6330A10605
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............-... ...@....... ..............................k.....`..................................-..O....@..x................)...`.......,..T............................................ ............... ..H............text........ ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B.................-......H.......P ......................@,......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................$.....3.........0...........D...........o.....*.1.....1.....K.....1...i.1.....1.....1.....1...P.1...X.1.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........C.....L.....k...#.t...+.....+.....3.....;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.ValueTuple.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15648
                                                                                                                                                                                                                                      Entropy (8bit):6.81235116499574
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:56yhm7Qv3Wt7VWhWqcWxNzx95jmHnhWgN7agWaNVAv+cQ0GX01k9z3Aspnkf5l:8yh93WtpGWqjX6HRN7PNbZR9zBdkfP
                                                                                                                                                                                                                                      MD5:FA3ADB76CA6EB3A67A5E4B6B24338726
                                                                                                                                                                                                                                      SHA1:57EA6862DB7DE23B47C34A804C0F1C10E3BC19A2
                                                                                                                                                                                                                                      SHA-256:4B3C5F41F52F16E2F4EC27BE12610A8437DE61F2B4CE53E383521A74D7937F44
                                                                                                                                                                                                                                      SHA-512:906624CE50242A01B84603D8100AC37C73B55821D111EB56186EB2CB41BC27945FD69DCD140DEC88FAD42C5A62E5504F72E78B0C21BFC7DF39CD3C7290D84E6A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....i..........." ..0..............)... ...@....... ...............................2....`..................................)..O....@..h............... )...`.......(..T............................................ ............... ..H............text........ ...................... ..`.rsrc...h....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................D(......................................BSJB............v4.0.30319......l...,...#~..........#Strings....d.......#US.h.......#GUID...x...|...#Blob......................3......................................E.......................z...........+.....b...Q.b.....[.....b.....b...4.b.....b.....b.....b.....b.....i...........t.....t.....t...).t...1.t...9.t...A.t...I.t...Q.t...Y.t...a.t...i.t...q.t...y.t.......................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Web.HttpUtility.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):59704
                                                                                                                                                                                                                                      Entropy (8bit):5.885165737065941
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:FERA91+CQcmHLnDWrdg7JvYJ2QWMVkDOBM7dWs3zXfXSXE2/2dAWCio9zL6:FSA/ScknDa2tYmwkDmmwWzvC32yWrgze
                                                                                                                                                                                                                                      MD5:CFE673CE2D26EEF64ABEB7B7696177FF
                                                                                                                                                                                                                                      SHA1:96321BE02E912B7813C8A3743CC15528A0DE0BA6
                                                                                                                                                                                                                                      SHA-256:F1A590E321D86848C924055DAADAD7E4B086F199034F133DCE1B034E5AD53131
                                                                                                                                                                                                                                      SHA-512:D70A9D8FAD2AD71774E2CA82D311E71A9B80BE9F1907E38A79529B142FE462BE393E1F39C7114FE674CD703C57001F4B42A27445C8ACA047074DA15A85E34F96
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" ......... ............................................................`...@......@............... ......................................D ..........8)..........P...p...............................................................H............text............................... ..`.data...............................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Web.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):15624
                                                                                                                                                                                                                                      Entropy (8bit):6.7523247989432935
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:iZL6h2FWVvo9W8YA6VFHRN752Y2MR9zPy0:iZWhAdFCl52Q9zK0
                                                                                                                                                                                                                                      MD5:0031FC0CF7730A0D2A235083C7BE48D4
                                                                                                                                                                                                                                      SHA1:FC6B6BD1AE65FEF8DCAFE4FEF263F36270ADED3B
                                                                                                                                                                                                                                      SHA-256:9351D54C7407694F2ABB14DE7770A85CDE97AB0E603B9B54800DD78D4D10E59A
                                                                                                                                                                                                                                      SHA-512:C25AAC8EE4FC10A8E53772C5FE9804C63E116EF4A2129EDFCC0D798417F96118FC7ED510656C6507132CBE9500676EC05D0A5F6A77B76CCE068BEC7087344FA7
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=..........." ..0..............(... ...@....... ..............................7*....`..................................(..O....@..8................)...`.......'..T............................................ ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`......................@..B.................(......H.......P ......................H'......................................BSJB............v4.0.30319......l.......#~.. ...D...#Strings....d.......#US.h.......#GUID...x.......#Blob......................3............................................................>...........i.....$...........T.....j.....9....................... .....R...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.C...+.Y...3.o...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Windows.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16136
                                                                                                                                                                                                                                      Entropy (8bit):6.713032229773769
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:oaHtXz5UAWElSWNYA6VFHRN75FwB2IR9zJZpA7:7xNUo5FCl3wwU9zW7
                                                                                                                                                                                                                                      MD5:CF29C8C0F79AB74BB29D01A8CD114146
                                                                                                                                                                                                                                      SHA1:DFFFCA8A3FB3CA3DEFD6F74DEE30D0A2C3824A70
                                                                                                                                                                                                                                      SHA-256:60E61212B4413692C26885707CF656A94D9676FF416C009FECA45C13B45271AE
                                                                                                                                                                                                                                      SHA-512:FE22D7A38752FF490568F9041C8FC063EAF2828B9D136446BA2F183B6433CCD1D184A4B1355B13ABF2CDE428025EE0C36D42ACBB2006539A9EFF31A166432DB7
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............*... ...@....... ..............................X.....`.................................Q*..O....@..X................)...`......t)..T............................................ ............... ..H............text........ ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID...(...|...#Blob......................3......................................X.........U.............................y.....7.......k.................................u............. ...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.Linq.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16152
                                                                                                                                                                                                                                      Entropy (8bit):6.701189252773519
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:vc17FduW1H4W1W2yWxNzx95jmHnhWgN7acWPwy8RwX01k9z3AzBhxH9cHYNm:uWW1H4WUmX6HRN7YV9R9z6Hxu4Y
                                                                                                                                                                                                                                      MD5:30E9D9AC1BBC20DF3488FA252015553E
                                                                                                                                                                                                                                      SHA1:FB9419C4C85DBD5A3E2A9419AD34B4635C6CB544
                                                                                                                                                                                                                                      SHA-256:79D0149A24692E7C6B2EEB854CFBF3400702ED3D6640AA471ECE856B59E269E8
                                                                                                                                                                                                                                      SHA-512:22BAE9984027A91DD7AAA53E05B387C20315153C30954E6770538D85C0990C2622BD16E42CF7C70DD88BC01975A886B99D8AFFBF859C2C339ED3A18D6BCDE5EA
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\............" ..0.............B+... ...@....... ....................................`..................................*..O....@..X................)...`.......*..T............................................ ............... ..H............text...H.... ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B................#+......H.......P ..@....................)......................................BSJB............v4.0.30319......l...$...#~..........#Strings....@.......#US.D.......#GUID...T.......#Blob......................3................................................L.............................p.@.....@.....,.....@.....@.....@.....@.....@...l.@.....@.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........:.....C.....b...#.k...+.....+.....3.....;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.ReaderWriter.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):22328
                                                                                                                                                                                                                                      Entropy (8bit):6.376492073803144
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:Z1G5qkxK67ex4FC1sW1/AWZjX6HRN7Nx9WR9zBwrw:v6LWnrWw9zT
                                                                                                                                                                                                                                      MD5:21D8FDE33639C09BE8AD7EA2CE430C39
                                                                                                                                                                                                                                      SHA1:EB5DFA19839787F0CD7C0F8008AAFDAD62E33182
                                                                                                                                                                                                                                      SHA-256:0EBF6E07AC4C055F6EAC71D86CB01C43FA3DF6954828FAEC2E9A491D28305CB1
                                                                                                                                                                                                                                      SHA-512:28545864610BD19F44A5D06671453CAB62A33BA92E786C5B2A2F089ADA33FE6E947F6D6223195AFA5016F7A5EC506B33A84CC3EBCE4421CA8240C459AA03CAE7
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..$...........B... ........@.. ..............................AM....`.................................wB..T....`..................8)...........A..T............................................ ............... ..H............text...."... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............,..............@..B.................B......H........ ... ..................P .......................................w.y.9e.)....w..N....5...V.IT......j..~...(.."......7..o.....M{f...jV.".l.+%J.....x._.....,...d..~C..u..c..A...E...!.fmBSJB............v4.0.30319......`...|...#~......8...#Strings............#GUID...$.......#Blob......................3............................................................G..... .......b...-.....f.......i.......................................[...............................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.Serialization.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16680
                                                                                                                                                                                                                                      Entropy (8bit):6.632838369230027
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:ZIhLW7MIEqHWJYA6VFHRN7cNviCksR9zcm:ZIhkbEqSFClWio9z3
                                                                                                                                                                                                                                      MD5:14A3984EA8B856B26EF616F614D5350C
                                                                                                                                                                                                                                      SHA1:CDD8701E19708B6916F3336BCA9B5D60777EB41D
                                                                                                                                                                                                                                      SHA-256:C9C61183DF3FB4E23A0D98D3A1464352D84BBF80DBF05B5F2DFD5FB8186CA4E1
                                                                                                                                                                                                                                      SHA-512:B99B727D1D0FCF453F6F1631C46D817A828B02A8E3D231A772E18433BA0133D0EED747C5E6563A9FC7CDBB75183C986F10DAA639AC8DF230DAE68AEA1A09A214
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6"..........." ..0.............R,... ...@....... ....................................`..................................+..O....@..................()...`.......+..T............................................ ............... ..H............text...X.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................1,......H.......P ..<....................*......................................BSJB............v4.0.30319......l...4...#~..........#Strings....4.......#US.8.......#GUID...H.......#Blob......................3......................................".....................X.................*._....._...B.?....._...'._...Y._....._...3._....._...l._.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........:.....C.....b...#.k...+.....+.....3.....;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XDocument.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16136
                                                                                                                                                                                                                                      Entropy (8bit):6.774367058875485
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:kZKFW/QdWHYA6VFHRN7Z9ZL2IR9zJHJUO:XB6FClZ9ZaU9zbB
                                                                                                                                                                                                                                      MD5:BE12DF6ED82876BE80A492350334C32D
                                                                                                                                                                                                                                      SHA1:929B139819B4AA89B251B0F7C79C84BB27255180
                                                                                                                                                                                                                                      SHA-256:5BF16937086393770381C25842CB35011942F78D0C9EA7DCDAF0161429288B8A
                                                                                                                                                                                                                                      SHA-512:CB4D30DD1EC8A1A5549BF06120C36275050714D4AC1049838A450D5345491E96C17EB18FD351280BA3808CED1D51C7F89EA7653091490C06AE98B7313CCC9C9F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....q..........."!..0..............+... ........@.. ..............................Z.....`.................................q+..Z....@...................)...`.......*..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P ......................................`....Uk..O..8.....P.g.:.....PJ.+F.".C.{.....c.^.6....ejIs9..Lc5]...-#..8...I..b..yC`.......us_.V....~...c.^^...5....&Ssc....BSJB............v4.0.30319......`.......#~..d.......#Strings............#GUID...$.......#Blob......................3................................................L.............................p.L.....L.....8.....L.....L.....L.....L.....L...l.L.....L.............................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XPath.XDocument.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):30984
                                                                                                                                                                                                                                      Entropy (8bit):4.288581469269511
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:SW0heWs6bkmv7dYA6VFHRN7bUD2IR9zJO2:Ss6gmZFClbDU9zp
                                                                                                                                                                                                                                      MD5:63AF3D0B5B3681BA5BB2586E41014548
                                                                                                                                                                                                                                      SHA1:0E7A369FD101B66A96577FFB16FB188BDE100496
                                                                                                                                                                                                                                      SHA-256:865C8934588F79ACB1BF69D0D406198ECCAC4751BFABCC0F6BB4E6712459090E
                                                                                                                                                                                                                                      SHA-512:F82C6C4011F8B8C51AD506C22E5D4B1FCD4A3AFD10B9D0924CEFA54A5DD61E0DBFE972644ADB603AC0E75AE00DDD553D718E9BCB18F4CB95C25A3DEA9B323CC3
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" ..... ... ...............................................P......3.....`...@......@............... ...................................... ........P...)...@......p...p...............................................................H............text...3........ .................. ..`.data.../....0.......0..............@....reloc.......@.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XPath.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16184
                                                                                                                                                                                                                                      Entropy (8bit):6.732697208000902
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:hxLiAH6DWB2vWmBX6HRN7GNviCksR9zcrIs:7dHitWIio9zgIs
                                                                                                                                                                                                                                      MD5:5A38DE4B1F1CEE04CE6CF96E1E07BA8B
                                                                                                                                                                                                                                      SHA1:D66CCD2E1589D58E3621BCF2E63CCAE509171519
                                                                                                                                                                                                                                      SHA-256:6AF1A8C435EF7BB1972E0509BBDD9A32B665949C248B6FD777833ABC527F290C
                                                                                                                                                                                                                                      SHA-512:3069EDB787B0BDB46E023AB71E34B817CE4E00EE9AE69F7D75DA4D3477824761D38B30690F012EA3B1F54D3A25EDCFE292C1AC615FF4F2C4E82127D448CA98DB
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....:..........."!..0..............*... ........@.. ...............................g....`..................................*..Z....@..h...............8)...`.......)..T............................................ ............... ..H............text........ ...................... ..`.rsrc...h....@......................@..@.reloc.......`......................@..B.................*......H........ ......................P ........................................w[zr..~.....8...<xq..W..xe...x.W.6pYMM..E..d..CJ..s...H.EKtfC V.Y7...6...o<g*.=.N.!..}".....R.r ....=.Q..*=yv.'.U>7.D{#..TBSJB............v4.0.30319......`.......#~......\...#Strings....P.......#GUID...`.......#Blob......................3......................................'.........C.............................g.{...%.{.....d.....{...|.{.....{.....{.....{...c.{.....{.............................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XmlDocument.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16152
                                                                                                                                                                                                                                      Entropy (8bit):6.767329523656509
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:DTdo1x3iWe7sWo6X6HRN7lVXC4deR9zVj7uS:Xdo1sBWlVXC4dC9zVjr
                                                                                                                                                                                                                                      MD5:123A240246001C458E14CA32D40D56EC
                                                                                                                                                                                                                                      SHA1:473A3DF6DF0269BC824B6B90217CFA2141AF59C1
                                                                                                                                                                                                                                      SHA-256:BAE0097F29C72DC7095DB06156D11BE9949C28CD8FFE5605851FFA8308B443BA
                                                                                                                                                                                                                                      SHA-512:58AB7B7F06BC0A418B77DCBE8ABDC66850791B3D0AC4EB3819EA717B5B151B167B7CEE7ECDBDB86E66A1EF073B7E877ADB0C70F3B973E712DCB637BC504D0916
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c............" ..0..............+... ...@....... ..............................;n....`.................................E+..O....@...................)...`......X*..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................y+......H.......P .......................)......................................BSJB............v4.0.30319......l.......#~..8.......#Strings............#US.........#GUID...........#Blob......................3................................................P.................<...........g.~...2.~.....1.....~.....~.....~.....~.....~...p.~.....~.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........................#.....+.:...+.P...3.f...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XmlSerializer.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):18216
                                                                                                                                                                                                                                      Entropy (8bit):6.626651656502574
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:192:g3ohYBNTtxaxzWp2vWEpWjA6Kr4PFHnhWgN7a0Wb3pWXYz1X01k9z3A/u84ts:g3oSX2zWp2vWEYA6VFHRN7SsoJR9zgu6
                                                                                                                                                                                                                                      MD5:59C396A982C075DEC28848C21B9B3287
                                                                                                                                                                                                                                      SHA1:49889A00099595C550AC919E381E030C11D84322
                                                                                                                                                                                                                                      SHA-256:9399F32559DCF33BE15D7F7C67BA6139602439BA848128715D3919084EFF0C8A
                                                                                                                                                                                                                                      SHA-512:1492AC135547ABA77EFFE2C1C8DA278CA04CF5C8836CE175682B163BA7BD392C10A2718A9667A1EA2F6DB4A7984550C5C511796183A29B5D7902D2C0A2F3E300
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8............"!..0.............N3... ........@.. ....................................`..................................2..R....@..................()...`.......2..T............................................ ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................03......H........ ..4...................P ...............................................z..R+...x...].R.;.m.xd.........%k........_........>.....KG.`..g.......a.&...j....:.Q'L)J...@...r^\C....\.nuBSJB............v4.0.30319......`.......#~.. ...p...#Strings............#GUID...........#Blob......................3................................J.................................+.....F.....H.....N...............................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):23848
                                                                                                                                                                                                                                      Entropy (8bit):6.279851716286934
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:x5FIeq5ufyw8bcB8yGOk2Y0WKvjsWLYA6VFHRN7RQXu0R9zI+SI:x5FIeWv2dNFClRGu49zp
                                                                                                                                                                                                                                      MD5:70B07221E2FF122EDC83D1CE7878F071
                                                                                                                                                                                                                                      SHA1:10DC2947E778C5D3279251214FFC4D6F537AAFBA
                                                                                                                                                                                                                                      SHA-256:C55AFCA244EA174CD7D26B81342B831D61D15F3D80EEE9406168F136CBCDD5B6
                                                                                                                                                                                                                                      SHA-512:DB0114AEA937A0443595C1CCF577D540FAEDCB632C0475B1C3CA26A5076CEFADF916196DE0CCB924A657428E77FE892748AE22D495668445B4E113C98B89EA85
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..*...........I... ...`....... ....................................`..................................H..O....`..8............4..()...........H..T............................................ ............... ..H............text...4)... ...*.................. ..`.rsrc...8....`.......,..............@..@.reloc...............2..............@..B.................I......H.......P ..4'...................G......................................BSJB............v4.0.30319......l...x...#~......X...#Strings....<%......#US.@%......#GUID...P%......#Blob......................3..................................................................S.....:.y...<.....O...................................................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y.........:.....C.....b...#.k...+.....+.....3.....;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):50440
                                                                                                                                                                                                                                      Entropy (8bit):5.759917233301275
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:eOlKhT46UA2Zi5wRNH5JVb0U502zq1TntuqZbFClYV9z6C:tu6Zi5i5jzCkeZisz3
                                                                                                                                                                                                                                      MD5:91D003E2BCC6C343D3C752C9745F807C
                                                                                                                                                                                                                                      SHA1:A793B282D2125C2F9DD5FD0380DA475F92A804A7
                                                                                                                                                                                                                                      SHA-256:DE72057E9A2E41290B8BB3B829B101F420477726E134069A2E0C33270DEF210F
                                                                                                                                                                                                                                      SHA-512:7862E0B67DFA761F45078813AEDF06C3C1D06545FA1E5FAB72F64F1FC0B2153444789D9AB3F599521AF89B3702E20D3DEC0CDEA42EB0ECF649755B03A215E0AB
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.dll, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.dll, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0................. ........... ...............................R....`.....................................O........................)..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......P .....................8.......................................BSJB............v4.0.30319......l....:..#~..d;..dR..#Strings...........#US........#GUID..........#Blob......................3............................-......................=..\..=.....=...=............; ..2.; ..T.M.....m=....m=....; ..9.; ....; ....; ....; .. .; ..P.; ................};....};....};..).};..1.};..9.};..A.};..Q.}; .Y.};..a.};..i.};..q.};..y.};....};....};......[.....d.........#.....+.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\WindowsBase.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):16664
                                                                                                                                                                                                                                      Entropy (8bit):6.726952486721783
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:6asFWQClWVrcW+ZX6HRN70oFr9R9z6HrUv:NCn8W0oFD9z6LUv
                                                                                                                                                                                                                                      MD5:AF65B24620A1E57D5AF9C71EE3AD9587
                                                                                                                                                                                                                                      SHA1:32E842B3D79AF9B8076F807481A8FE37E5537037
                                                                                                                                                                                                                                      SHA-256:54123FC5B700ACA49B87F05A94C42D65F094EEB4EF450CD51FCEB73DB303FAB4
                                                                                                                                                                                                                                      SHA-512:CEE9E50631869F2D0976217BAE8A3CE78DFF933EC62A4D2D148C72631EC37746160D64EAA959246A5E2A4FF9AFA0186171EDA5972D3AA3A732ACF1F1CCE00A13
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V1*..........." ..0..............-... ...@....... ...................................`.................................O-..O....@..8................)...`......x,..T............................................ ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`......................@..B.................-......H.......P .......................+......................................BSJB............v4.0.30319......l...p...#~......8...#Strings............#US.........#GUID...(.......#Blob......................3................................................................................r.....r...Q.(...g.r...6.r.....r.../.r...L.r.....r.....r..... ...........u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u...y.u.......................#.....+.C...+.Y...3.o...;.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\clretwrc.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):311096
                                                                                                                                                                                                                                      Entropy (8bit):4.240870672877532
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:7I9XK6chFjbdP7oCE33XfQIBchLZtfqYZdB90Js:eqn7fqYZdBH
                                                                                                                                                                                                                                      MD5:7923B31012CC44878489207D9058E5A6
                                                                                                                                                                                                                                      SHA1:5D93CDFD71B1742BE1198969705BDFA7A2D0C8B7
                                                                                                                                                                                                                                      SHA-256:DD65F2279CCE3A21C39E66A7425AB82D23700326F042198D430E252029CA63FD
                                                                                                                                                                                                                                      SHA-512:B7DF2BADF5591A0D223A4462A75A00869721D4ACC86C1056EB197DE7AB3ACB8555E5A95273FE6622BC831246C1E7EE50C14721E46BBD71A4F4393E11A9CF4A25
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)%=.mDS.mDS.mDS.~...lDS.~.Q.lDS.RichmDS.PE..d....^.g.........." ...(............................................................b.....`.......................................................... .................8)..............T............................................................................rdata..X...........................@..@.rsrc....... ......................@..@.....^.g........l...l...l........^.g.........................^.g........l...................................RSDS.X.....B......<.....D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\clretwrc\clretwrc.pdb.............................T....rdata..T........rdata$voltmd...l........rdata$zzzdbg.... .......rsrc$01.....!......rsrc$02....................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\clrgc.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):668456
                                                                                                                                                                                                                                      Entropy (8bit):6.597516519981948
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:RGlUe0bQZSn84GFMN5mSVv8pg8OWFODaunfRSzPg9HRfAWbsxLTjjTVSAAbijTw7:QZZo8JaN5z+dufRS6xrgSAXTKWo
                                                                                                                                                                                                                                      MD5:7C9621181833865B9B9A77A9D1A9C1E9
                                                                                                                                                                                                                                      SHA1:0527DCF29FA178949BF268C534FDAA1E7D4620EF
                                                                                                                                                                                                                                      SHA-256:9B254C85D28E19C39B1E12C041A24519BFC22F083BCCF0D0855866F57782CADD
                                                                                                                                                                                                                                      SHA-512:C41CD072C569A098C47DDD240C9928422F54D0641A78E936D710AF0840C3C4063C28C7558B985A74DD08D7AD8D79484E6AE0A567CE6C03BFE88AABB002B24713
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........xM:..#i..#i..#i.a.i..#i."h..#i.."i..#io. h..#io.'h..#io.&h..#i..*h..#i..#h..#i...i..#i..!h..#iRich..#i........................PE..d...g^.g.........." ...(............@................................................|....`A........................................p...d......................\F......()...........+..p............................*..@............................................text............................... ..`.rdata..............................@..@.data...............................@....pdata..\F.......H..................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\clrjit.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1785112
                                                                                                                                                                                                                                      Entropy (8bit):6.5488066688404585
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:49152:OkM51Lv2FQJioLYRa19wEvKugOQY5iW4WGGzgdZO3Ebz8d:OBioLQi9w/5ONiVGzgdZO3P
                                                                                                                                                                                                                                      MD5:CAFAB1FF05FF429BD46CB78B2FF8E9E8
                                                                                                                                                                                                                                      SHA1:E02B3B243B6993C0ADD46CAB15BBB6549C602700
                                                                                                                                                                                                                                      SHA-256:0DFE34BE78144CAD7DB5B66A7FCA3D86178EC0F353AAFBA6C81EB72E797E383B
                                                                                                                                                                                                                                      SHA-512:F19B60D26D784B2000E67A8698F8915EF623EEE074DAB9B853BA927A20FF11AB267C4BA385971620470987240263F917199E1424F3D23D263382163D66435639
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4.~.4.~.4.~.=...8.~.D@..3.~.4....~..B}.>.~..Bz.$.~..B{...~.'Ep.L.~.'E~.5.~.'E..5.~.'E|.5.~.Rich4.~.................PE..d....].g.........." ...(.4..........PA.......................................p.......*....`A........................................p................@.......P..t........)...P.......@..p.......................(....?..@............P..p............................text....3.......4.................. ..`.rdata.......P.......8..............@..@.data....h.......@..................@....pdata..t....P......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\coreclr.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):5039416
                                                                                                                                                                                                                                      Entropy (8bit):6.559853988421888
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:49152:jh3nYAkdW1bIowGlFCJvETHWzaK6YL/XPSpRdUWPfeSk5GjyuQS7bPdB15i9FqeV:jkdW1bIowcrW6p0qnWHn+2OSn
                                                                                                                                                                                                                                      MD5:389F964635CB95C6696744F56CBC092D
                                                                                                                                                                                                                                      SHA1:F133DA56B7AD65D162656E052C358328877DB1B1
                                                                                                                                                                                                                                      SHA-256:B4375494BB10BE11DB6134D361DF2F39A7A2C7F6696CA8D239A3ED424CE66DE7
                                                                                                                                                                                                                                      SHA-512:49DBAB9C3D1E9FE506EA7E0942D431559DCAF406C8E8233AFDD234BD8337F735E1D9510861C1DE00B7295D5956EE166D0AD55AFCE2142FD75A876F506F4DC661
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................A.....m......m........&...jo.....jo.....jo.....h.....h..c...h.....h-.....E....h.....Rich....................PE..d....^.g.........." ...(..;..N...............................................pN....._.M...`A..........................................H.|...l.H.,.....N. .....I.......L.8)....N.._....=.p.....................>.(.....<.@.............;.......H.`....................text.....;.......;................. ..`.CLR_UEF\.....;.......;............. ..`.rdata...[....;..\....;.............@..@.data...*....@H..:....H.............@....pdata........I......PH.............@..@.didat..8.....L.......K.............@...Section.......L.......K.............@..._RDATA...2....L..4... K.............@..@.rsrc... .....N......TL.............@..@.reloc..._....N..`...\L.............@..B................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\createdump.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):61800
                                                                                                                                                                                                                                      Entropy (8bit):6.349970742890166
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:vhwLsWpGD774wTlENE9Kb8lS8qs3PWG01Ekks3uN2wP2gbWF9zo:vhwLsWpG4Ntb8lumD2gbWXzo
                                                                                                                                                                                                                                      MD5:4A80E852AD189E7269B336BF031BECA3
                                                                                                                                                                                                                                      SHA1:197FA04A68FBBBEE806FF9880F4B849349F88A1B
                                                                                                                                                                                                                                      SHA-256:B24FD57EC86913EA7364FE7CC981946D7D45A23D9868530BFF394DA84557B71B
                                                                                                                                                                                                                                      SHA-512:76196E5A4D3B2FD8561A0F16136EF53F9848BC8FE336E482C981A891C1C3689620AE5737E414457678DDAE64F716F967EF12093CE0F04B2B829B67D53D44696E
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................!T.....!T.....!T......V............S......Sb............S.....Rich...................PE..d....^.g.........."....(.r...Z......@/.........@..........................................`.............................................................................h)......t......T...............................@............................................text....p.......r.................. ..`.rdata...=.......>...v..............@..@.data...`...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..t...........................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\hostpolicy.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):393512
                                                                                                                                                                                                                                      Entropy (8bit):6.331878832760126
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6144:Ux0Ke3VmzsnHpYHkGWqTRDERqBwT5eQC0+1Bs2u7FksfEXk0Pzfw:k0KWVmzsnKHkgTWkBDQq1K2vk+4
                                                                                                                                                                                                                                      MD5:25FD4181AB8B572A1BBFBA2F4A9EC239
                                                                                                                                                                                                                                      SHA1:B834DFC4C908B3CB8D3FC40771E6D0E900C7DE64
                                                                                                                                                                                                                                      SHA-256:65D61078B6B97884AD09AA12DA97D96F50F7D98E6D163C926AE199F9BB58A3CE
                                                                                                                                                                                                                                      SHA-512:38B708595E5A91194FDB089AE56E4051841C27406F8E770BB720EE9A5D66E6FB1CE8599F224071C2C23D30D832315C2A51A532677F121B383547F149385D1246
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g/.D.A.D.A.D.A...B.N.A...E.N.A...D...A.M~.V.A.4.@.A.A.D.@...A.W.H.Z.A.W.A.E.A.W...E.A.W.C.E.A.RichD.A.........PE..d.../a.g.........." ...(.8..........P........................................ ............`A............................................ ...0....................2......().......... ...p.......................(.......@............P...............................text...\7.......8.................. ..`.rdata..(N...P...P...<..............@..@.data...............................@....pdata...2.......4..................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\mscordaccore.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1338384
                                                                                                                                                                                                                                      Entropy (8bit):6.3581682679559135
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:SABsjnIunobZ5eGiBSk7uf9xg9Y/qZLPyoRyKngNLi0/rqsaoGSZNrWVwi00szJU:SjIuG4Sk7ug9Y/qkNe4rqsaknjGZZv
                                                                                                                                                                                                                                      MD5:51EE5E6865F0D6F5A9C3F08181E263D1
                                                                                                                                                                                                                                      SHA1:9C0745545DA0AFD24881529FD5062A4343AF7762
                                                                                                                                                                                                                                      SHA-256:6C52462719DC63E935B967F796DF5E4D91B07D85792529D488455BF5D5A6E6A8
                                                                                                                                                                                                                                      SHA-512:D27FA79335606B41BA49E1060288504688A118FC4852634FC4D03C2E453262FF5966D381C055428BF3E01ABB9CF980DABA2A91EDF46EE428A5AB30F28871F3D4
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........f!...r...r...r..r...rh*.s...rh*.s...rh*.s...r.(.s...r.(.s...r...r...r.-.s...r.-.s...r.-.r...r.-.s...rRich...r........................PE..d....\.g.........." ...(.b................................................................`A.........................................g..p...Pi.......`..........<....F...&...p..........p.......................(...@...@............................................text...`a.......b.................. ..`.rdata...............f..............@..@.data................^..............@....pdata..<............l..............@..@.rsrc........`.......$..............@..@.reloc.......p.......*..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\mscordaccore_amd64_amd64_8.0.1124.51707.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1338384
                                                                                                                                                                                                                                      Entropy (8bit):6.3581682679559135
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:SABsjnIunobZ5eGiBSk7uf9xg9Y/qZLPyoRyKngNLi0/rqsaoGSZNrWVwi00szJU:SjIuG4Sk7ug9Y/qkNe4rqsaknjGZZv
                                                                                                                                                                                                                                      MD5:51EE5E6865F0D6F5A9C3F08181E263D1
                                                                                                                                                                                                                                      SHA1:9C0745545DA0AFD24881529FD5062A4343AF7762
                                                                                                                                                                                                                                      SHA-256:6C52462719DC63E935B967F796DF5E4D91B07D85792529D488455BF5D5A6E6A8
                                                                                                                                                                                                                                      SHA-512:D27FA79335606B41BA49E1060288504688A118FC4852634FC4D03C2E453262FF5966D381C055428BF3E01ABB9CF980DABA2A91EDF46EE428A5AB30F28871F3D4
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........f!...r...r...r..r...rh*.s...rh*.s...rh*.s...r.(.s...r.(.s...r...r...r.-.s...r.-.s...r.-.r...r.-.s...rRich...r........................PE..d....\.g.........." ...(.b................................................................`A.........................................g..p...Pi.......`..........<....F...&...p..........p.......................(...@...@............................................text...`a.......b.................. ..`.rdata...............f..............@..@.data................^..............@....pdata..<............l..............@..@.rsrc........`.......$..............@..@.reloc.......p.......*..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\mscordbi.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1241616
                                                                                                                                                                                                                                      Entropy (8bit):6.3502741331068
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:KyL6o2uNNwfPWN0uenPtMDQUxbDjfDFuFZ0a4KU/mhRtI/2g/GWQ9s16yCp54yq:KyL6oXqU0uePtM/DjfDFYyaLmug/H
                                                                                                                                                                                                                                      MD5:546589C51162826DB43BA02DF92496A2
                                                                                                                                                                                                                                      SHA1:06F12A763CD7F73063179B5AEB537EA67FA6AE71
                                                                                                                                                                                                                                      SHA-256:A91540E748CBC2C44C091ED618C785A5400C27A742AA6C6DA4CF80923DB00F7D
                                                                                                                                                                                                                                      SHA-512:D038979709A1F829BFC25FD06A1F9E38AC99376E619BD31885B083B6ED862FA76743F1B15621D39865E67769AD2953CA2A9B093C1F4530250FCCF38B164CD3CA
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............c..c..c...p.c..C...c..C...c..C...c......c......c..c..<c.....c......c.....c.....c.....c..Rich.c..........PE..d....\.g.........." ...(............0O...............................................g....`A........................................P...`....................@...........&......p...@:..p....................<..(....9..@............ ...............................text............................... ..`.rdata..(.... ......................@..@.data........ ......................@....pdata.......@......................@..@.rsrc...............................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\mscorlib.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):59696
                                                                                                                                                                                                                                      Entropy (8bit):5.652717651829639
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:kt51EDMpCUoqFY66Gw17oqZn/TEHmyrchswz6EEZcYf5o4ba2yGlG1QeY48lCiDV:ktFcC3ZcYf5o4bZyGc1A4cDXWQQzi3
                                                                                                                                                                                                                                      MD5:52CFF557AED4CBD8D59B899A761B82BA
                                                                                                                                                                                                                                      SHA1:E99FE78B96578A4A8036A07D431A3EB21FFA83C7
                                                                                                                                                                                                                                      SHA-256:2F8E23C3566B02B2F9E0E1B86D6D81D3CE0DF06C5B9AEB68CEB66B6B152ED099
                                                                                                                                                                                                                                      SHA-512:ED9B3A1BBA91FDEADCCFBDD63F10B72915EEFEA182564A62C163C34A865F00AFE81B72DC32FB55BA4D97803222ED934FB92861B6E16A9A58E785FCD2BDF8D1E9
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{\............" ..0.................. ........... ....................... ............`.................................q...O.......(...............0)..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B........................H.......P ..................... .......................................BSJB............v4.0.30319......l...$O..#~...O..(b..#Strings............#US.........#GUID..........#Blob......................3................................e.....b/........L%.O...).O....RO..EP.......+..:.:4..J$:4...&S0...+.O...%.O...(:4...&:4...":4....:4....:4..U&:4....:4.................N.....N.....N..)..N..1..N..9..N..A..N..Q..N .Y..N..a..N..i..N..q..N..y..N.....N.....N......R.....[.....z...#.....+.

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\mscorrc.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):137016
                                                                                                                                                                                                                                      Entropy (8bit):3.906071951546616
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:zxl191YWvh7xR+l5dZU49N9SqignwJ5cvBMgSIctpoECygW7tgzE:zxldal5dZU4dSqHns2SpSkgSSg
                                                                                                                                                                                                                                      MD5:01691B7E80FFFF518797EF61B1358FBD
                                                                                                                                                                                                                                      SHA1:E188AE3623E459AF7A84442DAFB01E4E65744383
                                                                                                                                                                                                                                      SHA-256:7D2F7896B52606E9C77AD2A21C0BB8E765D9AA7FD2DE471E90A204C99655B83F
                                                                                                                                                                                                                                      SHA-512:BD9F20B74585E658C08EF0712FC8278E2DA6DC32236F4E88D574F614C4E9E1181764D93B88C7FB78C8394817D514651AFBFBA8AB6FE97FE27A1C73AA89A3548B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)%=.mDS.mDS.mDS.~...lDS.~.Q.lDS.RichmDS.PE..d....^.g.........." ...(.............................................................b....`.......................................................... ..................8)..............T............................................................................rdata..X...........................@..@.rsrc........ ......................@..@.....^.g........j...l...l........^.g.........................^.g........l...................................RSDS.n.H ..O......j.....D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscorrc\mscorrc.pdb...............................T....rdata..T........rdata$voltmd...l........rdata$zzzdbg.... ..P....rsrc$01....P:.......rsrc$02....................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\msquic.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):538136
                                                                                                                                                                                                                                      Entropy (8bit):6.299714405457925
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:q5YDDKStgzRK093ertSfiOMVAXUYYJJOb:qmDxSP6OaLYYJC
                                                                                                                                                                                                                                      MD5:027854570A4412624BECEE78A10395C1
                                                                                                                                                                                                                                      SHA1:6B0E6BC0CD97F2CAC1B962BE868FC7CB621D77F8
                                                                                                                                                                                                                                      SHA-256:2D67E87859ECAEB15C4DD621B0983F1A9AD3E2AA9B11624C018A43E6D6B06BEC
                                                                                                                                                                                                                                      SHA-512:8593D309434C7954AA42E5BD63F76A5BAE783C8F2130798EA285032C71F890C4C1783614597EE2BA3DA3294A68CE636EA2A9DCB21A858A840C8D8F6316928D65
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:..:..:..:..;..<U..%..<U..1..<U..*..3......q...?..:.....q...8..TU.....TU..;..TUj.;..:...8..TU..;..Rich:..................PE..d......e.........." ...&.@...................................................p......7.....`A.........................................|..h....|..h........@.......:.......(...`......0...T..............................@............P..h............................text...q>.......@.................. ..`.rdata...C...P...D...D..............@..@.data...............................@....pdata...:.......<..................@..@_RDATA..............................@..@.rsrc....@.......B..................@..@.reloc.......`......................@..B........................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\netstandard.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):101160
                                                                                                                                                                                                                                      Entropy (8bit):5.502135579975956
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:bYsYXj0p2NYq5V4bgDHsPdIpuSE5L3Ukcz9wnXiKdkz:MMkYe4bgDUAxCnXI
                                                                                                                                                                                                                                      MD5:937A6DCE409FE67D60722137A5E860EC
                                                                                                                                                                                                                                      SHA1:9DC0849E2164D7B25F7F0F6DC3B9600EC431E914
                                                                                                                                                                                                                                      SHA-256:F56C741CC18D17CB031A9CDEB3DE3C4662CF80CB65F434DCA5DF328AC682C5C1
                                                                                                                                                                                                                                      SHA-512:B5379A528CDCB6F55A85002D89FCA19B2C2BC9461647E3B81791D63E8F2E0227B22427CB2A60393F3A6FC9B1E407E23E2B22AF93C378A16D83B232CA2DE74D79
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\netstandard.dll, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}............" ..0..X...........v... ........... ....................................`.................................?v..O.......8............b..()..........hu..T............................................ ............... ..H............text....V... ...X.................. ..`.rsrc...8............Z..............@..@.reloc...............`..............@..B................sv......H.......P ...T...................t......................................BSJB............v4.0.30319......l...`...#~..... ...#Strings.....Q......#US..Q......#GUID....R......#Blob......................3............................P...,......H.........5....:....'...m......,.@..5#.T..P4.T...7.J...B....i5....u:.T..n7.T..&1.T.....T.../.T..(7.T...(.T.............................)....1....9....A....Q.. .Y....a....i....q....y..........................................

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.log

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2402
                                                                                                                                                                                                                                      Entropy (8bit):5.362731083469072
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:MxHKQg8mHDp684IHTQ06YHKGSI6oPtHTHhAHKKk+HKlT4v1qHGIs0HKaHKmTHlH7:iqzCIzQ06YqGSI6oPtzHeqKk+qZ4vwme
                                                                                                                                                                                                                                      MD5:28B4BFE9130A35038BD57B2F89847BAE
                                                                                                                                                                                                                                      SHA1:8DBF9D2800AB08CCA18B4BA00549513282B774A9
                                                                                                                                                                                                                                      SHA-256:19F498CAE589207075B8C82D7DACEAE23997D61B93A971A4F049DC14C8A3D514
                                                                                                                                                                                                                                      SHA-512:02100FD4059C4D32FBAAA9CEAACB14C50A4359E4217203B2F7A40E298AD819ED5469F2442291F12852527A2B7109CC5F7BFF7FDAD53BA5ABF75FC5F0474E984F
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\434f871c532673e1359654ad68a1c225\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\a

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):651
                                                                                                                                                                                                                                      Entropy (8bit):5.343677015075984
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                                                                                                                                                      MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                                                                                                                                                      SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                                                                                                                                                      SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                                                                                                                                                      SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                                                                                                                                                      C:\Windows\Installer\55a385.msi

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2994176
                                                                                                                                                                                                                                      Entropy (8bit):7.878666436630809
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:49152:b+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:b+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                      MD5:17233CB43B4A16B35D9D174CFC88EC4A
                                                                                                                                                                                                                                      SHA1:3831189838DF5D113461823A1AA864D7572BEDF5
                                                                                                                                                                                                                                      SHA-256:A78B24EACD8138EDB9F0D440C2FFB98CEE269AE32C8F8BA8790D4D60C2EE18E5
                                                                                                                                                                                                                                      SHA-512:239C758D62C9D14532589DE4ED3151EED177419CDD9F06CF8C223FA137631FE8ED576FA29DA5B0040510A0EAF2EA6F5AB5DA61809A7208D1220DC80109BAABD0
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\55a387.msi

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2994176
                                                                                                                                                                                                                                      Entropy (8bit):7.878666436630809
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:49152:b+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:b+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                      MD5:17233CB43B4A16B35D9D174CFC88EC4A
                                                                                                                                                                                                                                      SHA1:3831189838DF5D113461823A1AA864D7572BEDF5
                                                                                                                                                                                                                                      SHA-256:A78B24EACD8138EDB9F0D440C2FFB98CEE269AE32C8F8BA8790D4D60C2EE18E5
                                                                                                                                                                                                                                      SHA-512:239C758D62C9D14532589DE4ED3151EED177419CDD9F06CF8C223FA137631FE8ED576FA29DA5B0040510A0EAF2EA6F5AB5DA61809A7208D1220DC80109BAABD0
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\55a388.msi

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2994176
                                                                                                                                                                                                                                      Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                      MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                      SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                      SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                      SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\55a394.msi

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2994176
                                                                                                                                                                                                                                      Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                      MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                      SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                      SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                      SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\55a395.msi

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Runtime - 8.0.11 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Runtime - 8.0.11 (x64)., Template: x64;1033, Revision Number: {D9788553-CDFF-4792-87FA-89ADA20ADBA7}, Create Time/Date: Thu Oct 17 23:36:38 2024, Last Saved Time/Date: Thu Oct 17 23:36:38 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.9323), Security: 2
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):27566080
                                                                                                                                                                                                                                      Entropy (8bit):7.994779231183715
                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                      SSDEEP:786432:Y2a7yZcd+9F/PHkT4Lqt85HrI5K4Krj8A0Lr1k:Yvg9r95Hrh4c8A0t
                                                                                                                                                                                                                                      MD5:B9C6D23462ADEF092B8A5B7880531B03
                                                                                                                                                                                                                                      SHA1:9E8C4F7F48D38FB54A93789A583852869C074F2D
                                                                                                                                                                                                                                      SHA-256:2E23DA54AA1FF64DE09021AB089C1BE6D4A323BDF0D8F46F78B5C6A33DF83109
                                                                                                                                                                                                                                      SHA-512:18623991C5690E516541EAF867F22B3A1A02317392178943143BEDC7F7EDA5E02E69665C3C4A5FA50ADE516A191BBBF16FD71E60F3225F660FB10EBC25CD01A5
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\55a398.msi

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Runtime - 8.0.11 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Runtime - 8.0.11 (x64)., Template: x64;1033, Revision Number: {D9788553-CDFF-4792-87FA-89ADA20ADBA7}, Create Time/Date: Thu Oct 17 23:36:38 2024, Last Saved Time/Date: Thu Oct 17 23:36:38 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.9323), Security: 2
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):27566080
                                                                                                                                                                                                                                      Entropy (8bit):7.994779231183715
                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                      SSDEEP:786432:Y2a7yZcd+9F/PHkT4Lqt85HrI5K4Krj8A0Lr1k:Yvg9r95Hrh4c8A0t
                                                                                                                                                                                                                                      MD5:B9C6D23462ADEF092B8A5B7880531B03
                                                                                                                                                                                                                                      SHA1:9E8C4F7F48D38FB54A93789A583852869C074F2D
                                                                                                                                                                                                                                      SHA-256:2E23DA54AA1FF64DE09021AB089C1BE6D4A323BDF0D8F46F78B5C6A33DF83109
                                                                                                                                                                                                                                      SHA-512:18623991C5690E516541EAF867F22B3A1A02317392178943143BEDC7F7EDA5E02E69665C3C4A5FA50ADE516A191BBBF16FD71E60F3225F660FB10EBC25CD01A5
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\55a399.msi

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host FX Resolver - 8.0.11 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host FX Resolver - 8.0.11 (x64)., Template: x64;1033, Revision Number: {EBC96263-55B4-4BCE-B9C8-B460A20F0BE4}, Create Time/Date: Thu Oct 17 23:36:28 2024, Last Saved Time/Date: Thu Oct 17 23:36:28 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.9323), Security: 2
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):790528
                                                                                                                                                                                                                                      Entropy (8bit):6.679922945107014
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:4XZw5pChV1EgXmEI3os2Qx7E4D4Rxbp4K+1uiqB:4Xsp8Xdc3/7Rin+sZ
                                                                                                                                                                                                                                      MD5:D73DE5788AB129F16AFDD990D8E6BFA9
                                                                                                                                                                                                                                      SHA1:88CB87AF50EA4999E2079D9269CE64C8EB1A584E
                                                                                                                                                                                                                                      SHA-256:4F9AC5A094E9B1B4F0285E6E69C2E914E42DCC184DFE6FE93894F8E03CA6C193
                                                                                                                                                                                                                                      SHA-512:BFC32F9A20E30045F5207446C6AB6E8EF49A3FD7A5A41491C2242E10FEE8EFD2F82F81C3FF3BF7681E5E660FDE065A315A89D87E9F488C863421FE1D6381BA3B
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\55a39c.msi

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host FX Resolver - 8.0.11 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host FX Resolver - 8.0.11 (x64)., Template: x64;1033, Revision Number: {EBC96263-55B4-4BCE-B9C8-B460A20F0BE4}, Create Time/Date: Thu Oct 17 23:36:28 2024, Last Saved Time/Date: Thu Oct 17 23:36:28 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.9323), Security: 2
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):790528
                                                                                                                                                                                                                                      Entropy (8bit):6.679922945107014
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:4XZw5pChV1EgXmEI3os2Qx7E4D4Rxbp4K+1uiqB:4Xsp8Xdc3/7Rin+sZ
                                                                                                                                                                                                                                      MD5:D73DE5788AB129F16AFDD990D8E6BFA9
                                                                                                                                                                                                                                      SHA1:88CB87AF50EA4999E2079D9269CE64C8EB1A584E
                                                                                                                                                                                                                                      SHA-256:4F9AC5A094E9B1B4F0285E6E69C2E914E42DCC184DFE6FE93894F8E03CA6C193
                                                                                                                                                                                                                                      SHA-512:BFC32F9A20E30045F5207446C6AB6E8EF49A3FD7A5A41491C2242E10FEE8EFD2F82F81C3FF3BF7681E5E660FDE065A315A89D87E9F488C863421FE1D6381BA3B
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\55a39f.msi

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host - 8.0.11 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host - 8.0.11 (x64)., Template: x64;1033, Revision Number: {821DC2A6-AEB1-4796-80C6-7F7EC027B94F}, Create Time/Date: Thu Oct 17 23:43:58 2024, Last Saved Time/Date: Thu Oct 17 23:43:58 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.9323), Security: 2
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):720896
                                                                                                                                                                                                                                      Entropy (8bit):6.4600879618022065
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:mLNzV1EgXmEI3os2Qx7E4D4Rxbp4K+1uiqG:ezXdc3/7Rin+su
                                                                                                                                                                                                                                      MD5:AEF2D4D02B45FA95D8ABCAC57E60D21B
                                                                                                                                                                                                                                      SHA1:11C91E25DCF7F1357AB0FB0A6307A71B45DAB754
                                                                                                                                                                                                                                      SHA-256:EBE13E660C208681E2F1C10FA59D8B37540F2E6187751703FA5BBB5F4B300EB1
                                                                                                                                                                                                                                      SHA-512:C78E41D5B2C845C106B088881CF72DDDF64BE09F72D7AC6078E944E7C9F6AFB428E0BAD7FEC45BB539AD04694467FC302E0A915522123FE02F80BFE1762C2EF1
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\55a3a2.msi

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host - 8.0.11 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host - 8.0.11 (x64)., Template: x64;1033, Revision Number: {821DC2A6-AEB1-4796-80C6-7F7EC027B94F}, Create Time/Date: Thu Oct 17 23:43:58 2024, Last Saved Time/Date: Thu Oct 17 23:43:58 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.9323), Security: 2
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):720896
                                                                                                                                                                                                                                      Entropy (8bit):6.4600879618022065
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:mLNzV1EgXmEI3os2Qx7E4D4Rxbp4K+1uiqG:ezXdc3/7Rin+su
                                                                                                                                                                                                                                      MD5:AEF2D4D02B45FA95D8ABCAC57E60D21B
                                                                                                                                                                                                                                      SHA1:11C91E25DCF7F1357AB0FB0A6307A71B45DAB754
                                                                                                                                                                                                                                      SHA-256:EBE13E660C208681E2F1C10FA59D8B37540F2E6187751703FA5BBB5F4B300EB1
                                                                                                                                                                                                                                      SHA-512:C78E41D5B2C845C106B088881CF72DDDF64BE09F72D7AC6078E944E7C9F6AFB428E0BAD7FEC45BB539AD04694467FC302E0A915522123FE02F80BFE1762C2EF1
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSI19EE.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):224328
                                                                                                                                                                                                                                      Entropy (8bit):6.660576026391609
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:FVzl3qiEZybztEwiUx6D02cWVsV1v2vZR3X6j7zo6k2FkngTLrOrORT9flQnS6lg:FVIMEgXmEAR3oHon2VaFuG0eEp
                                                                                                                                                                                                                                      MD5:928F4B0FC68501395F93AD524A36148C
                                                                                                                                                                                                                                      SHA1:084590B18957CA45B4A0D4576D1CC72966C3EA10
                                                                                                                                                                                                                                      SHA-256:2BF33A9B9980E44D21D48F04CC6AC4EED4C68F207BD5990B7D3254A310B944AE
                                                                                                                                                                                                                                      SHA-512:7F2163F651693F9B73A67E90B5C820AF060A23502667A5C32C3BEB2D6B043F5459F22D61072A744089D622C05502D80F7485E0F86EB6D565FF711D5680512372
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S-...L.I.L.I.L.Ir*.H.L.Ir*.H.L.IE$.H.L.IE$.H.L.IE$.H.L.Ir*.H.L.Ir*.H.L.Ir*.H.L.I.L.I.L.I.%.H0L.I.%.H.L.I.%.I.L.I.L`I.L.I.%.H.L.IRich.L.I........PE..L......f...........!.........R......Q........ ......................................K8....@..........................................`..x............D..H(...p......@...T...............................@............ ..,............................text...K........................... ..`.rdata..T.... ......................@..@.data....#...0......................@....rsrc...x....`....... ..............@..@.reloc.......p.......&..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSI1B37.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):69889
                                                                                                                                                                                                                                      Entropy (8bit):5.6439900249875965
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:voIzNdxb3zQou7aRAsZdBuW2GpQmqpQAu:5Rb3RxdBuJB9pRu
                                                                                                                                                                                                                                      MD5:2A006562D7B292F575A22D11EDB3CB6D
                                                                                                                                                                                                                                      SHA1:F3F77ECBA176ECE26CFF98F22AF3193BB66F091B
                                                                                                                                                                                                                                      SHA-256:402CFACA2821DF0408B4D3C1BA675BCA20B85597003FD3D9BB958E201EE06EE2
                                                                                                                                                                                                                                      SHA-512:595C34E18F8DA475AE8E11DEB153A1DEB46730684E47E78108E97C1AEA4D715A44B45076364C0B8C0EF194307BAFAE59A3CD05B0B9629EFF4273FCEC0EB0E330
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:...@IXOS.@.....@ul.Z.@.....@.....@.....@.....@.....@......&.{9C80213E-9079-4561-8D57-1FDD0D62251F}%.Microsoft .NET Runtime - 8.0.11 (x64)!.dotnet-runtime-8.0.11-win-x64.msi.@.....@.Z,@.@.....@........&.{D9788553-CDFF-4792-87FA-89ADA20ADBA7}.....@.....@.....@.....@.......@.....@.....@.......@....%.Microsoft .NET Runtime - 8.0.11 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{F81D99A3-0880-5654-AED5-B1AA39FA6285}R.02:\Software\Classes\Installer\Dependencies\dotnet_runtime_64.44.23191_x64\Version.@.......@.....@.....@......&.{E6B3315F-85DE-56F4-AA3E-2A4820293382}D.C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\.version.@.......@.....@.....@......&.{115BDECA-5A1C-5E3D-8EC7-4C45804415E5}H.C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\clretwrc.dll.@.......@.....@.....@......&.{605499FF-1868-5A10-9952-9F413E0E17EA}E.C:\Pr

                                                                                                                                                                                                                                      C:\Windows\Installer\MSI4025.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):224328
                                                                                                                                                                                                                                      Entropy (8bit):6.660576026391609
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:FVzl3qiEZybztEwiUx6D02cWVsV1v2vZR3X6j7zo6k2FkngTLrOrORT9flQnS6lg:FVIMEgXmEAR3oHon2VaFuG0eEp
                                                                                                                                                                                                                                      MD5:928F4B0FC68501395F93AD524A36148C
                                                                                                                                                                                                                                      SHA1:084590B18957CA45B4A0D4576D1CC72966C3EA10
                                                                                                                                                                                                                                      SHA-256:2BF33A9B9980E44D21D48F04CC6AC4EED4C68F207BD5990B7D3254A310B944AE
                                                                                                                                                                                                                                      SHA-512:7F2163F651693F9B73A67E90B5C820AF060A23502667A5C32C3BEB2D6B043F5459F22D61072A744089D622C05502D80F7485E0F86EB6D565FF711D5680512372
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S-...L.I.L.I.L.Ir*.H.L.Ir*.H.L.IE$.H.L.IE$.H.L.IE$.H.L.Ir*.H.L.Ir*.H.L.Ir*.H.L.I.L.I.L.I.%.H0L.I.%.H.L.I.%.I.L.I.L`I.L.I.%.H.L.IRich.L.I........PE..L......f...........!.........R......Q........ ......................................K8....@..........................................`..x............D..H(...p......@...T...............................@............ ..,............................text...K........................... ..`.rdata..T.... ......................@..@.data....#...0......................@....rsrc...x....`....... ..............@..@.reloc.......p.......&..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSI41BC.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):224328
                                                                                                                                                                                                                                      Entropy (8bit):6.660576026391609
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:FVzl3qiEZybztEwiUx6D02cWVsV1v2vZR3X6j7zo6k2FkngTLrOrORT9flQnS6lg:FVIMEgXmEAR3oHon2VaFuG0eEp
                                                                                                                                                                                                                                      MD5:928F4B0FC68501395F93AD524A36148C
                                                                                                                                                                                                                                      SHA1:084590B18957CA45B4A0D4576D1CC72966C3EA10
                                                                                                                                                                                                                                      SHA-256:2BF33A9B9980E44D21D48F04CC6AC4EED4C68F207BD5990B7D3254A310B944AE
                                                                                                                                                                                                                                      SHA-512:7F2163F651693F9B73A67E90B5C820AF060A23502667A5C32C3BEB2D6B043F5459F22D61072A744089D622C05502D80F7485E0F86EB6D565FF711D5680512372
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S-...L.I.L.I.L.Ir*.H.L.Ir*.H.L.IE$.H.L.IE$.H.L.IE$.H.L.Ir*.H.L.Ir*.H.L.Ir*.H.L.I.L.I.L.I.%.H0L.I.%.H.L.I.%.I.L.I.L`I.L.I.%.H.L.IRich.L.I........PE..L......f...........!.........R......Q........ ......................................K8....@..........................................`..x............D..H(...p......@...T...............................@............ ..,............................text...K........................... ..`.rdata..T.... ......................@..@.data....#...0......................@....rsrc...x....`....... ..............@..@.reloc.......p.......&..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSI424A.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2798
                                                                                                                                                                                                                                      Entropy (8bit):5.74128047570224
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:GLxo9BHc83ebhIpqUHMb6P39ez1kJYmQxbD8SBhron4K7GeU1DJYDnJY2oJeEysN:GLxo9BHHqYHP6LFPHro4xe6mD62oJeEx
                                                                                                                                                                                                                                      MD5:A719AC721A4FF9470376D5C202B79EF2
                                                                                                                                                                                                                                      SHA1:A16E406EEB0839C47B4F3CB90BE627D22BEDF291
                                                                                                                                                                                                                                      SHA-256:62FE831914FB70E56A2A107AAF3CD308DC7EB893F154AC16055CB30D88CFBB73
                                                                                                                                                                                                                                      SHA-512:BB4DB6815ABC410AF1217B9A911B5B157D726BBBDF680032349B40CA7B1FFFAC9A8F212BF274CB1C2FE7CE6C756B3709A4DE5BF313F7BC6B278713624C1D502E
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:...@IXOS.@.....@zl.Z.@.....@.....@.....@.....@.....@......&.{F59C11F0-D73F-452B-8D1D-8C33B82D8507}..Microsoft .NET Host FX Resolver - 8.0.11 (x64)!.dotnet-hostfxr-8.0.11-win-x64.msi.@.....@.Z,@.@.....@........&.{EBC96263-55B4-4BCE-B9C8-B460A20F0BE4}.....@.....@.....@.....@.......@.....@.....@.......@......Microsoft .NET Host FX Resolver - 8.0.11 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{4FD6DFC4-5859-531B-9E4A-DE2781CCA754}V.02:\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_64.44.23191_x64\Version.@.......@.....@.....@......&.{88F54D57-4C26-5E97-B6AB-FB77E26C265C}3.C:\Program Files\dotnet\host\fxr\8.0.11\hostfxr.dll.@.......@.....@.....@......&.{8EC524B8-7864-5ACE-B320-2D36216EBC12}?.02:\SOFTWARE\dotnet\Setup\InstalledVersions\x64\hostfxr\Version.@.......@.....@.....@........InstallFiles..Copying new files&.File: [1], Dire

                                                                                                                                                                                                                                      C:\Windows\Installer\MSI446E.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):224328
                                                                                                                                                                                                                                      Entropy (8bit):6.660576026391609
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:FVzl3qiEZybztEwiUx6D02cWVsV1v2vZR3X6j7zo6k2FkngTLrOrORT9flQnS6lg:FVIMEgXmEAR3oHon2VaFuG0eEp
                                                                                                                                                                                                                                      MD5:928F4B0FC68501395F93AD524A36148C
                                                                                                                                                                                                                                      SHA1:084590B18957CA45B4A0D4576D1CC72966C3EA10
                                                                                                                                                                                                                                      SHA-256:2BF33A9B9980E44D21D48F04CC6AC4EED4C68F207BD5990B7D3254A310B944AE
                                                                                                                                                                                                                                      SHA-512:7F2163F651693F9B73A67E90B5C820AF060A23502667A5C32C3BEB2D6B043F5459F22D61072A744089D622C05502D80F7485E0F86EB6D565FF711D5680512372
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S-...L.I.L.I.L.Ir*.H.L.Ir*.H.L.IE$.H.L.IE$.H.L.IE$.H.L.Ir*.H.L.Ir*.H.L.Ir*.H.L.I.L.I.L.I.%.H0L.I.%.H.L.I.%.I.L.I.L`I.L.I.%.H.L.IRich.L.I........PE..L......f...........!.........R......Q........ ......................................K8....@..........................................`..x............D..H(...p......@...T...............................@............ ..,............................text...K........................... ..`.rdata..T.... ......................@..@.data....#...0......................@....rsrc...x....`....... ..............@..@.reloc.......p.......&..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSI45C6.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):224328
                                                                                                                                                                                                                                      Entropy (8bit):6.660576026391609
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:FVzl3qiEZybztEwiUx6D02cWVsV1v2vZR3X6j7zo6k2FkngTLrOrORT9flQnS6lg:FVIMEgXmEAR3oHon2VaFuG0eEp
                                                                                                                                                                                                                                      MD5:928F4B0FC68501395F93AD524A36148C
                                                                                                                                                                                                                                      SHA1:084590B18957CA45B4A0D4576D1CC72966C3EA10
                                                                                                                                                                                                                                      SHA-256:2BF33A9B9980E44D21D48F04CC6AC4EED4C68F207BD5990B7D3254A310B944AE
                                                                                                                                                                                                                                      SHA-512:7F2163F651693F9B73A67E90B5C820AF060A23502667A5C32C3BEB2D6B043F5459F22D61072A744089D622C05502D80F7485E0F86EB6D565FF711D5680512372
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S-...L.I.L.I.L.Ir*.H.L.Ir*.H.L.IE$.H.L.IE$.H.L.IE$.H.L.Ir*.H.L.Ir*.H.L.Ir*.H.L.I.L.I.L.I.%.H0L.I.%.H.L.I.%.I.L.I.L`I.L.I.%.H.L.IRich.L.I........PE..L......f...........!.........R......Q........ ......................................K8....@..........................................`..x............D..H(...p......@...T...............................@............ ..,............................text...K........................... ..`.rdata..T.... ......................@..@.data....#...0......................@....rsrc...x....`....... ..............@..@.reloc.......p.......&..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSI4664.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):731
                                                                                                                                                                                                                                      Entropy (8bit):5.469288394017732
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:EgdLBISQV930/KC8J7keR3cj//430/KC8x/fNEhHmX/qHXZNDUSEMszVltNnjSQm:FLBvo93XnJ75R3cjo3XnoQXkXZIMEVlm
                                                                                                                                                                                                                                      MD5:EA361AB2DF2A09B3C54709004248B879
                                                                                                                                                                                                                                      SHA1:78141E7156F2EFEFD703BD39BD6DD198944983A9
                                                                                                                                                                                                                                      SHA-256:19CF05C445D911289A1682ABC267E8853B62E1DF06E5847B43D0BDA47E1FE10B
                                                                                                                                                                                                                                      SHA-512:8D537279A89A6C37C73E6B974C754EA14BD3061CA0B972457678A31DF0FA10DA144DD91F27A1073B74987AC159725AEF77D60F08669300813EB137038C9881CE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:...@IXOS.@.....@{l.Z.@.....@.....@.....@.....@.....@......&.{F59C11F0-D73F-452B-8D1D-8C33B82D8507}..Microsoft .NET Host FX Resolver - 8.0.11 (x64)!.dotnet-hostfxr-8.0.11-win-x64.msi.@.....@.Z,@.@.....@........&.{EBC96263-55B4-4BCE-B9C8-B460A20F0BE4}.....@.....@.....@.....@.......@.....@.....@.......@......Microsoft .NET Host FX Resolver - 8.0.11 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........RegisterProduct..Registering product..[1]i...0......PublishProduct..Publishing product information.......@.....@.....@......&.{F59C11F0-D73F-452B-8D1D-8C33B82D8507}P.C:\ProgramData\Package Cache\{F59C11F0-D73F-452B-8D1D-8C33B82D8507}v64.44.23191\...@.....@.....@....

                                                                                                                                                                                                                                      C:\Windows\Installer\MSI46F1.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):224328
                                                                                                                                                                                                                                      Entropy (8bit):6.660576026391609
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:FVzl3qiEZybztEwiUx6D02cWVsV1v2vZR3X6j7zo6k2FkngTLrOrORT9flQnS6lg:FVIMEgXmEAR3oHon2VaFuG0eEp
                                                                                                                                                                                                                                      MD5:928F4B0FC68501395F93AD524A36148C
                                                                                                                                                                                                                                      SHA1:084590B18957CA45B4A0D4576D1CC72966C3EA10
                                                                                                                                                                                                                                      SHA-256:2BF33A9B9980E44D21D48F04CC6AC4EED4C68F207BD5990B7D3254A310B944AE
                                                                                                                                                                                                                                      SHA-512:7F2163F651693F9B73A67E90B5C820AF060A23502667A5C32C3BEB2D6B043F5459F22D61072A744089D622C05502D80F7485E0F86EB6D565FF711D5680512372
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S-...L.I.L.I.L.Ir*.H.L.Ir*.H.L.IE$.H.L.IE$.H.L.IE$.H.L.Ir*.H.L.Ir*.H.L.Ir*.H.L.I.L.I.L.I.%.H0L.I.%.H.L.I.%.I.L.I.L`I.L.I.%.H.L.IRich.L.I........PE..L......f...........!.........R......Q........ ......................................K8....@..........................................`..x............D..H(...p......@...T...............................@............ ..,............................text...K........................... ..`.rdata..T.... ......................@..@.data....#...0......................@....rsrc...x....`....... ..............@..@.reloc.......p.......&..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSI4B67.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):224328
                                                                                                                                                                                                                                      Entropy (8bit):6.660576026391609
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:FVzl3qiEZybztEwiUx6D02cWVsV1v2vZR3X6j7zo6k2FkngTLrOrORT9flQnS6lg:FVIMEgXmEAR3oHon2VaFuG0eEp
                                                                                                                                                                                                                                      MD5:928F4B0FC68501395F93AD524A36148C
                                                                                                                                                                                                                                      SHA1:084590B18957CA45B4A0D4576D1CC72966C3EA10
                                                                                                                                                                                                                                      SHA-256:2BF33A9B9980E44D21D48F04CC6AC4EED4C68F207BD5990B7D3254A310B944AE
                                                                                                                                                                                                                                      SHA-512:7F2163F651693F9B73A67E90B5C820AF060A23502667A5C32C3BEB2D6B043F5459F22D61072A744089D622C05502D80F7485E0F86EB6D565FF711D5680512372
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S-...L.I.L.I.L.Ir*.H.L.Ir*.H.L.IE$.H.L.IE$.H.L.IE$.H.L.Ir*.H.L.Ir*.H.L.Ir*.H.L.I.L.I.L.I.%.H0L.I.%.H.L.I.%.I.L.I.L`I.L.I.%.H.L.IRich.L.I........PE..L......f...........!.........R......Q........ ......................................K8....@..........................................`..x............D..H(...p......@...T...............................@............ ..,............................text...K........................... ..`.rdata..T.... ......................@..@.data....#...0......................@....rsrc...x....`....... ..............@..@.reloc.......p.......&..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSI4BD5.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):4235
                                                                                                                                                                                                                                      Entropy (8bit):5.71428292821513
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:0LKz/5peVPQHLx7k05bAAKD6uce6JND/kmEP8s:A2SUxkunA6uce64mW7
                                                                                                                                                                                                                                      MD5:A38906E1CFD45C9A17BA30C5B6DB5325
                                                                                                                                                                                                                                      SHA1:9F2007CE5A2CD767C26486B84D454FF54A488798
                                                                                                                                                                                                                                      SHA-256:BB38C8A04E9FEECBE877E2BF2D6AB39ED861E9F7CD7A71030D778B6EE3A5C46D
                                                                                                                                                                                                                                      SHA-512:64337D19217CFF9F5960A71B7D4D3C001CA25B2CA7D5933B747B70A660802A9F6F055C26BB761481F2989D10CED9C01A4858DA9E339DEA957D9DEBC949DA8964
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:...@IXOS.@.....@|l.Z.@.....@.....@.....@.....@.....@......&.{362B4D0D-8438-44DA-86B2-FEC44E000FCA}".Microsoft .NET Host - 8.0.11 (x64)..dotnet-host-8.0.11-win-x64.msi.@.....@.Z,@.@.....@........&.{821DC2A6-AEB1-4796-80C6-7F7EC027B94F}.....@.....@.....@.....@.......@.....@.....@.......@....".Microsoft .NET Host - 8.0.11 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{7ECCA0D4-8C88-50DD-A538-CDC29B9350D1}Q.02:\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_8.0_x64\Version.@.......@.....@.....@......&.{45399BBB-DDA5-4386-A2E9-618FB3C54A18}".C:\Program Files\dotnet\dotnet.exe.@.......@.....@.....@......&.{EA9C3F98-F9B1-5212-8980-CFEAF2B15E0D}B.22:\SOFTWARE\dotnet\Setup\InstalledVersions\x64\sharedhost\Version.@.......@.....@.....@......&.{E4E008C8-57A8-5040-BB34-03024B15B6C5}?.02:\SOFTWARE\dotnet\Setup\InstalledVersions\x64\Install

                                                                                                                                                                                                                                      C:\Windows\Installer\MSI4D8C.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):224328
                                                                                                                                                                                                                                      Entropy (8bit):6.660576026391609
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:FVzl3qiEZybztEwiUx6D02cWVsV1v2vZR3X6j7zo6k2FkngTLrOrORT9flQnS6lg:FVIMEgXmEAR3oHon2VaFuG0eEp
                                                                                                                                                                                                                                      MD5:928F4B0FC68501395F93AD524A36148C
                                                                                                                                                                                                                                      SHA1:084590B18957CA45B4A0D4576D1CC72966C3EA10
                                                                                                                                                                                                                                      SHA-256:2BF33A9B9980E44D21D48F04CC6AC4EED4C68F207BD5990B7D3254A310B944AE
                                                                                                                                                                                                                                      SHA-512:7F2163F651693F9B73A67E90B5C820AF060A23502667A5C32C3BEB2D6B043F5459F22D61072A744089D622C05502D80F7485E0F86EB6D565FF711D5680512372
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S-...L.I.L.I.L.Ir*.H.L.Ir*.H.L.IE$.H.L.IE$.H.L.IE$.H.L.Ir*.H.L.Ir*.H.L.Ir*.H.L.I.L.I.L.I.%.H0L.I.%.H.L.I.%.I.L.I.L`I.L.I.%.H.L.IRich.L.I........PE..L......f...........!.........R......Q........ ......................................K8....@..........................................`..x............D..H(...p......@...T...............................@............ ..,............................text...K........................... ..`.rdata..T.... ......................@..@.data....#...0......................@....rsrc...x....`....... ..............@..@.reloc.......p.......&..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSI4E96.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):224328
                                                                                                                                                                                                                                      Entropy (8bit):6.660576026391609
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:FVzl3qiEZybztEwiUx6D02cWVsV1v2vZR3X6j7zo6k2FkngTLrOrORT9flQnS6lg:FVIMEgXmEAR3oHon2VaFuG0eEp
                                                                                                                                                                                                                                      MD5:928F4B0FC68501395F93AD524A36148C
                                                                                                                                                                                                                                      SHA1:084590B18957CA45B4A0D4576D1CC72966C3EA10
                                                                                                                                                                                                                                      SHA-256:2BF33A9B9980E44D21D48F04CC6AC4EED4C68F207BD5990B7D3254A310B944AE
                                                                                                                                                                                                                                      SHA-512:7F2163F651693F9B73A67E90B5C820AF060A23502667A5C32C3BEB2D6B043F5459F22D61072A744089D622C05502D80F7485E0F86EB6D565FF711D5680512372
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S-...L.I.L.I.L.Ir*.H.L.Ir*.H.L.IE$.H.L.IE$.H.L.IE$.H.L.Ir*.H.L.Ir*.H.L.Ir*.H.L.I.L.I.L.I.%.H0L.I.%.H.L.I.%.I.L.I.L`I.L.I.%.H.L.IRich.L.I........PE..L......f...........!.........R......Q........ ......................................K8....@..........................................`..x............D..H(...p......@...T...............................@............ ..,............................text...K........................... ..`.rdata..T.... ......................@..@.data....#...0......................@....rsrc...x....`....... ..............@..@.reloc.......p.......&..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSI4F05.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):704
                                                                                                                                                                                                                                      Entropy (8bit):5.429926371052501
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:EgMLBsNz30t8GYasWj//s30t8x/fNEhHmX/qHXZNDUSEMszVltNnjVWYCNYu4W:0LB4z3XGvsWjc3XoQXkXZIMEVlt1Dkj
                                                                                                                                                                                                                                      MD5:D8EC019D86AEEA4549C7071C6C14A3BD
                                                                                                                                                                                                                                      SHA1:FED6181755428D3D49605167007EDB0E7D8D253D
                                                                                                                                                                                                                                      SHA-256:BF69810BC1066B1075DB9D61B83624FA8B01047BFD2268D855A1FCE494C94286
                                                                                                                                                                                                                                      SHA-512:080A558413A21A303219436C30E1423B6EC01AB60F6420F15B6FDC2F247766495785752FC7FC5DFDBCC314F7EB2F05D8C16C0CEA76D00CA8C873AFEA8F48C558
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:...@IXOS.@.....@|l.Z.@.....@.....@.....@.....@.....@......&.{362B4D0D-8438-44DA-86B2-FEC44E000FCA}".Microsoft .NET Host - 8.0.11 (x64)..dotnet-host-8.0.11-win-x64.msi.@.....@.Z,@.@.....@........&.{821DC2A6-AEB1-4796-80C6-7F7EC027B94F}.....@.....@.....@.....@.......@.....@.....@.......@....".Microsoft .NET Host - 8.0.11 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........RegisterProduct..Registering product..[1]i...0......PublishProduct..Publishing product information.......@.....@.....@......&.{362B4D0D-8438-44DA-86B2-FEC44E000FCA}P.C:\ProgramData\Package Cache\{362B4D0D-8438-44DA-86B2-FEC44E000FCA}v64.44.23191\...@.....@.....@....

                                                                                                                                                                                                                                      C:\Windows\Installer\MSI4F63.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                                      Size (bytes):224328
                                                                                                                                                                                                                                      Entropy (8bit):6.660576026391609
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:FVzl3qiEZybztEwiUx6D02cWVsV1v2vZR3X6j7zo6k2FkngTLrOrORT9flQnS6lg:FVIMEgXmEAR3oHon2VaFuG0eEp
                                                                                                                                                                                                                                      MD5:928F4B0FC68501395F93AD524A36148C
                                                                                                                                                                                                                                      SHA1:084590B18957CA45B4A0D4576D1CC72966C3EA10
                                                                                                                                                                                                                                      SHA-256:2BF33A9B9980E44D21D48F04CC6AC4EED4C68F207BD5990B7D3254A310B944AE
                                                                                                                                                                                                                                      SHA-512:7F2163F651693F9B73A67E90B5C820AF060A23502667A5C32C3BEB2D6B043F5459F22D61072A744089D622C05502D80F7485E0F86EB6D565FF711D5680512372
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S-...L.I.L.I.L.Ir*.H.L.Ir*.H.L.IE$.H.L.IE$.H.L.IE$.H.L.Ir*.H.L.Ir*.H.L.Ir*.H.L.I.L.I.L.I.%.H0L.I.%.H.L.I.%.I.L.I.L`I.L.I.%.H.L.IRich.L.I........PE..L......f...........!.........R......Q........ ......................................K8....@..........................................`..x............D..H(...p......@...T...............................@............ ..,............................text...K........................... ..`.rdata..T.... ......................@..@.data....#...0......................@....rsrc...x....`....... ..............@..@.reloc.......p.......&..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSI99A5.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):521954
                                                                                                                                                                                                                                      Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                      MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                      SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                      SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                      SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSI99A5.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):25600
                                                                                                                                                                                                                                      Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                      MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                      SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                      SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                      SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI99A5.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                      C:\Windows\Installer\MSI99A5.tmp-\CustomAction.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1538
                                                                                                                                                                                                                                      Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                      MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                      SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                      SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                      SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                      C:\Windows\Installer\MSI99A5.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):184240
                                                                                                                                                                                                                                      Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                      MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                      SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                      SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                      SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSI99A5.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):711952
                                                                                                                                                                                                                                      Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                      MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                      SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                      SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                      SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                      C:\Windows\Installer\MSI99A5.tmp-\System.Management.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):61448
                                                                                                                                                                                                                                      Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                      MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                      SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                      SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                      SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIA4ED.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):521954
                                                                                                                                                                                                                                      Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                      MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                      SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                      SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                      SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIA4ED.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):25600
                                                                                                                                                                                                                                      Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                      MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                      SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                      SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                      SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIA4ED.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIA4ED.tmp-\CustomAction.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1538
                                                                                                                                                                                                                                      Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                      MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                      SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                      SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                      SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIA4ED.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):184240
                                                                                                                                                                                                                                      Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                      MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                      SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                      SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                      SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIA4ED.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):711952
                                                                                                                                                                                                                                      Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                      MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                      SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                      SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                      SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIA4ED.tmp-\System.Management.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):61448
                                                                                                                                                                                                                                      Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                      MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                      SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                      SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                      SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIA82A.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):521954
                                                                                                                                                                                                                                      Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                      MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                      SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                      SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                      SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIA82A.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):25600
                                                                                                                                                                                                                                      Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                      MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                      SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                      SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                      SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIA82A.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIA82A.tmp-\CustomAction.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1538
                                                                                                                                                                                                                                      Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                      MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                      SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                      SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                      SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIA82A.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):184240
                                                                                                                                                                                                                                      Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                      MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                      SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                      SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                      SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIA82A.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):711952
                                                                                                                                                                                                                                      Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                      MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                      SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                      SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                      SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIA82A.tmp-\System.Management.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):61448
                                                                                                                                                                                                                                      Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                      MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                      SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                      SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                      SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIB77D.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):521954
                                                                                                                                                                                                                                      Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                      MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                      SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                      SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                      SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIB77D.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):25600
                                                                                                                                                                                                                                      Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                      MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                      SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                      SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                      SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIB77D.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIB77D.tmp-\CustomAction.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1538
                                                                                                                                                                                                                                      Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                      MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                      SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                      SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                      SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIB77D.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):184240
                                                                                                                                                                                                                                      Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                      MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                      SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                      SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                      SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIB77D.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):711952
                                                                                                                                                                                                                                      Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                      MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                      SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                      SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                      SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIB77D.tmp-\System.Management.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):61448
                                                                                                                                                                                                                                      Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                      MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                      SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                      SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                      SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIBA1E.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):437319
                                                                                                                                                                                                                                      Entropy (8bit):6.648079908952152
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:nt3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4KsE:tzOE2Z34KGzOE2Z34Kd
                                                                                                                                                                                                                                      MD5:64516175BD7955B2D208EB76E8EE88D6
                                                                                                                                                                                                                                      SHA1:E6EB4F56D29AFBB17410E7B17380F966D29D8716
                                                                                                                                                                                                                                      SHA-256:CAB102E564CCD75BFDB0ABB7EC9D0E0706DF1D5F473CD70BB21E90EE5535475F
                                                                                                                                                                                                                                      SHA-512:6DC302BDE58FC5726664047110F1BA16340CEFB5CB5B66FE6DCBE3FB1C4F980CBD99652E6A864B139C49CC81873346EC0748F883D1819528E4EAA11C44A4980A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIBA1E.tmp, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:...@IXOS.@.....@Fl.Z.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..XML-702.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[......................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIBA1F.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):216496
                                                                                                                                                                                                                                      Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                      MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                      SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                      SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                      SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIBAAC.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):216496
                                                                                                                                                                                                                                      Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                      MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                      SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                      SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                      SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIBC92.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):216496
                                                                                                                                                                                                                                      Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                      MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                      SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                      SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                      SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIBD0D.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):521954
                                                                                                                                                                                                                                      Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                      MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                      SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                      SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                      SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIC422.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):521954
                                                                                                                                                                                                                                      Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                      MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                      SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                      SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                      SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSICC22.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):435963
                                                                                                                                                                                                                                      Entropy (8bit):6.6514907935935765
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:+t3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4Kse:ezOE2Z34KGzOE2Z34K5
                                                                                                                                                                                                                                      MD5:4D10A6E012C84C8F6C244817BF9A6F04
                                                                                                                                                                                                                                      SHA1:D6CC6527302EC9370CEB86448D44C7E0A4C0B8E2
                                                                                                                                                                                                                                      SHA-256:34344BA0FF2C656A5E2B5D2442AEFA82439A6FC7DB9DC3B046CE8509A78D2531
                                                                                                                                                                                                                                      SHA-512:1535922BBC117AC2A2A00E69A38748E5D0D06C75626FA111F8F607E4E06BDC839774543679B421EF791DE26521052BD22ADE694E283D98924FE51153F30FC70E
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSICC22.tmp, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:...@IXOS.@.....@kl.Z.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..XML-702.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........InstallInitialize......&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}....&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}c.&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}............StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.......................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSICC71.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):216496
                                                                                                                                                                                                                                      Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                      MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                      SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                      SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                      SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSICD4D.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):216496
                                                                                                                                                                                                                                      Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                      MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                      SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                      SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                      SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSICD9C.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):216496
                                                                                                                                                                                                                                      Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                      MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                      SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                      SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                      SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSICE75.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):521954
                                                                                                                                                                                                                                      Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                      MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                      SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                      SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                      SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSICE75.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):25600
                                                                                                                                                                                                                                      Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                      MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                      SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                      SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                      SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSICE75.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                      C:\Windows\Installer\MSICE75.tmp-\CustomAction.config

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1538
                                                                                                                                                                                                                                      Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                      MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                      SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                      SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                      SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                      C:\Windows\Installer\MSICE75.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):184240
                                                                                                                                                                                                                                      Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                      MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                      SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                      SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                      SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSICE75.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):711952
                                                                                                                                                                                                                                      Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                      MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                      SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                      SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                      SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                      C:\Windows\Installer\MSICE75.tmp-\System.Management.dll

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):61448
                                                                                                                                                                                                                                      Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                      MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                      SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                      SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                      SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIE7CC.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):437217
                                                                                                                                                                                                                                      Entropy (8bit):6.647793031255147
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:6t3jOZy2KsGU6a4Kspt3jOZy2KsGU6a4KsU:CzOE2Z34K+zOE2Z34KZ
                                                                                                                                                                                                                                      MD5:FD3732E5463397A77775DCA5DE5F6048
                                                                                                                                                                                                                                      SHA1:E3FBB1AB2ADA4DCD6DC641027F8675237A9B6F34
                                                                                                                                                                                                                                      SHA-256:9E6F32D9A4377E5C447E1B232D2C924A942FB6AE6154934C3DB9672EFA3D679E
                                                                                                                                                                                                                                      SHA-512:04CF5F9771408A106D2E133709B44CAB22A9FF1E3485411E5DF7AD415124DF85D0C6ABD002230043606970E4687287CA246A96CCD6E8D19CE879A62D16DA6C8C
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIE7CC.tmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIE7CC.tmp, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:...@IXOS.@.....@ol.Z.@.....@.....@.....@.....@.....@......&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}..AteraAgent..ateraAgentSetup64_1_8_7_2.msi.@.....@.....@.....@........&.{911E9E2F-B38D-4D02-A148-5E49FC9D8943}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[....

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIE85A.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):216496
                                                                                                                                                                                                                                      Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                      MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                      SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                      SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                      SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIE926.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):216496
                                                                                                                                                                                                                                      Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                      MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                      SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                      SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                      SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIE985.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):216496
                                                                                                                                                                                                                                      Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                      MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                      SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                      SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                      SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\MSIEEE5.tmp

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):521954
                                                                                                                                                                                                                                      Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                      MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                      SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                      SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                      SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\SourceHash{362B4D0D-8438-44DA-86B2-FEC44E000FCA}

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                      Entropy (8bit):1.1725187128777712
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:JSbX72Fj8H6AGiLIlHVRpph/7777777777777777777777777vDHFCel9YXWl0i5:JWaQI5dj9EF
                                                                                                                                                                                                                                      MD5:B1B0694D20F69333FFDF91869C6AFAA0
                                                                                                                                                                                                                                      SHA1:20FDC12F0391DB576A1ED559EA1F10D0AC86E426
                                                                                                                                                                                                                                      SHA-256:B3C65CB42005D42C8969C10EB3AC8FF6F4FF696118CD8C89A77D2B7A9F36E2D2
                                                                                                                                                                                                                                      SHA-512:AB786EBEB4D136A677BE384BE87EAEE8243F7D900AB76983E397147C9462DB9F3DEA3659CCE80964A96DA83F8745D3F24D3A3EAE1CDE2E60F3E56935FC01D433
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                      Entropy (8bit):1.172584465920146
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:JSbX72Fj66AGiLIlHVRpIh/7777777777777777777777777vDHFzTPrfWrl0i8Q:JjQI5wBTr/F
                                                                                                                                                                                                                                      MD5:63DC89E9372B22534E1BA7A9FBC87A1C
                                                                                                                                                                                                                                      SHA1:8FD5E0E61B31069864BB1DDE30C363BA3230B8CF
                                                                                                                                                                                                                                      SHA-256:D4D4D7A25CCD2BC73D13122874BDE62E5B47FC0EBEF2D8EE98E1208B7AFA0796
                                                                                                                                                                                                                                      SHA-512:22B5FAA63CB565E056C16C4262A08641F1C03488592271E4598FF8298BCE431F0B2BA18AFF5FF2CC7CF3571D961F84D7C2FE4CC15C4AC9A8DAB2D9D98D0C011E
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\SourceHash{9C80213E-9079-4561-8D57-1FDD0D62251F}

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                      Entropy (8bit):1.1756054988306737
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:JSbX72FjP6AGiLIlHVRpUh/7777777777777777777777777vDHFz6vYF/Xl0i8Q:JYQI5Ex6v06F
                                                                                                                                                                                                                                      MD5:FE3D6FE2D2E06CBE6ADEFBD11A3A3503
                                                                                                                                                                                                                                      SHA1:E4CEA810AF6E3EDC5DB86F4A40C3EF19D11EE559
                                                                                                                                                                                                                                      SHA-256:C267136E93571BE2FDF5056968BC6D8D8DDF01C416F2C1C4DF0F44C1D10649C4
                                                                                                                                                                                                                                      SHA-512:4FA0640B73E2F6E10C964049297BEA3924C31DBBF0255991B13B91140512EEE1AF856E250BCC757636E385A12BB5ECC25E1486D02D644A7CD204BD508A71BC34
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                      Entropy (8bit):1.1633165641450676
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:JSbX72FjsGSAGiLIlHVRpY5h/7777777777777777777777777vDHFYkJ0gxpdlN:JWQI5eRxsF
                                                                                                                                                                                                                                      MD5:987BC7739F701629F97960404EC75B9A
                                                                                                                                                                                                                                      SHA1:A5368151843B4252F92254BDD231FA232D44A9FD
                                                                                                                                                                                                                                      SHA-256:38D9E13089435EF4820DEC0385438D166A08E334F8DF71A6F4FF35AE71B1CCB5
                                                                                                                                                                                                                                      SHA-512:861982DD3911F01DD81D59D30D763EBB8D1818887FAFD1F88E01963297B66D0346D0341F6DF110D58AC565A48B6FAF32831FCEEAA806C8DD872ED49488ED1FD6
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\SourceHash{F59C11F0-D73F-452B-8D1D-8C33B82D8507}

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                      Entropy (8bit):1.1746646687484397
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:JSbX72Fjf6AGiLIlHVRpUh/7777777777777777777777777vDHF8nNU7kF/Xl0G:J4QI5Eai7Y6F
                                                                                                                                                                                                                                      MD5:4EB50D1AD53D2C9E7E86431BE4474872
                                                                                                                                                                                                                                      SHA1:E5D70AA84A50EB4897D5E6594A412C8C5461E518
                                                                                                                                                                                                                                      SHA-256:3693103B706156CAB88EA5B2C6716E41CC048FAE77849B84B043C1B436AC20D7
                                                                                                                                                                                                                                      SHA-512:F657F4EE92208CD6E1D24D19C95B13FC4B244EE8E7183F6907AA5B870389E7177F2A41D5B287C6FBEEDDE1F81C3578E44734560486DDE523CDD3BB2DCB877E87
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                      Entropy (8bit):1.6068265618279611
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:L8PhuuRc06WXzmFT5DhdL4ByWgeSjndd4d/Eqdmx4bQySsndd4dNWeUJmRb:yhu1bFT9LL4EW39ZZNXeJt
                                                                                                                                                                                                                                      MD5:6295AC64B79C7171926BD86978D76018
                                                                                                                                                                                                                                      SHA1:2FA4C4F76155EB7ACDC500F9DB6C86B73D4B47DA
                                                                                                                                                                                                                                      SHA-256:A6235D80DA7CEED38529BBF34482E991DEB52340D1E8D58574FA942A09C67004
                                                                                                                                                                                                                                      SHA-512:ED56863313F61287F67CB8037FFA39A237889B5B632C7906A00A882DB591BBD799275567015C166BB9330DBB60BF4D7C891FC61D6FABF943F79F974960139173
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):432221
                                                                                                                                                                                                                                      Entropy (8bit):5.375167363625084
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauk:zTtbmkExhMJCIpErJ
                                                                                                                                                                                                                                      MD5:332A9C213EF94BE3CB6DD2B9294520BC
                                                                                                                                                                                                                                      SHA1:F5E337B0EBFA06D0F4AD738E8396310D5AB30E24
                                                                                                                                                                                                                                      SHA-256:CEA6BBCA4E9694C7BE9A1BF8AF79BBDD1C45053B34BBA89646B2A918A5304AD4
                                                                                                                                                                                                                                      SHA-512:6A43431256D69F619874705311383C298954935ABEEC39EFAD11EC34B4195C8EF82682B05CC973EA5C60D3657C184A8D2628C2CCDE07A196EC78264676F1701D
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                                                                                                                                      C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):651
                                                                                                                                                                                                                                      Entropy (8bit):5.343677015075984
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                                                                                                                                                      MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                                                                                                                                                      SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                                                                                                                                                      SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                                                                                                                                                      SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                                                                                                                                                      C:\Windows\System32\InstallUtil.InstallLog

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):704
                                                                                                                                                                                                                                      Entropy (8bit):4.805280550692434
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:tIDRFK4mAX7RBem7hccD+PRem7hUhiiGNGNdg6MhgRBem7hccD+PRem7hUGNGNkm:Us43XVBVhcmMRVhMipNVeBVhcmMRVhro
                                                                                                                                                                                                                                      MD5:EF51E16A5B81AB912F2478FE0A0379D6
                                                                                                                                                                                                                                      SHA1:B0F9E2EE284DD1590EA31B2D3AD736D77B9FC6A7
                                                                                                                                                                                                                                      SHA-256:2C5D5397CEDF66DB724FED7FB4515B026A894F517A0DFBE8AE8ADF52DB61AA22
                                                                                                                                                                                                                                      SHA-512:296A11DB55BFEE7D87897BB63BC9E2C05786D3FD73A894DA5AF76F7A756495C6CCC0959C88844DFB5560DE2374A257201D960E004EC09D8C9DFB50952C5EF2D2
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:...Running a transacted installation.....Beginning the Install phase of the installation...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Install phase completed successfully, and the Commit phase is beginning...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Commit phase completed successfully.....The transacted install has completed...

                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4761 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):4761
                                                                                                                                                                                                                                      Entropy (8bit):7.945585251880973
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:6ZUpZsm0HwZ8FLSeXs+aiL9qcZ7KtlAD1GlNHgdkVI5F11AcNmwkVFzGz6ENhZC7:62T0QOLl8vAqcZ7K3AUNAdx5FAx9VEOj
                                                                                                                                                                                                                                      MD5:77B20B5CD41BC6BB475CCA3F91AE6E3C
                                                                                                                                                                                                                                      SHA1:9E98ACE72BD2AB931341427A856EF4CEA6FAF806
                                                                                                                                                                                                                                      SHA-256:5511A9B9F9144ED7BDE4CCB074733B7C564D918D2A8B10D391AFC6BE5B3B1509
                                                                                                                                                                                                                                      SHA-512:3537DA5E7F3ABA3DAFE6A86E9511ABA20B7A3D34F30AEA6CC11FEEF7768BD63C0C85679C49E99C3291BD1B552DED2C6973B6C2F7F6D731BCFACECAB218E72FD4
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MSCF............,...................O..................YWP .disallowedcert.stl.lJ..B...CK.wTS.....{.&Uz.I."E".HS@. .P.!.....*E. .DQ..... EDA.H. E..""/.s<.s.9.....&#.{~k.VV..7@......b.R....MdT..B.L..%.C......" ....%.4%..%*.B..T.d...S.....pem..$....&.q.`.+...E..C.....$.|.A.!~d.H>w%S$...QC't..;..<..R@....2. .l..?..c..A....Ew...l..K$.. ~...'......Mt^c..s.Y%..}......h......m....h.......~d...,...=ge3.....2%..(...T..!].....!C~.X..MHU.o[.z].Y...&lXG;uW.:...2!..][\/.G..]6#.I...S..#F.X.k.j.....)Nc.].t^.-l.Y...4?.b...rY....A......7.D.H\.R...s.L,.6.*|.....VQ....<.*.......... [Z....].N0LU.X........6..C\....F.....KbZ..^=.@.B..MyH...%.2.>...]..E.....sZ.f..3z.].Y.t.d$.....P...,. .~..mNZ[PL.<....d..+...l.-...b.^....6F..z.&.;D.._..c."...d..... k9....60?&..Y.v.dgu...{.....{..d=..$......@^..qA..*uJ..@W.V..eC..AV.e+21...N.{.]..]..f]..`Z.....]2.....x..f..K...t. ...e.V.U.$PV..@6W\_nsm.n.........A<.......d....@f..Z... >R..k.....8..Y....E>..2o7..........c..K7n....

                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):471
                                                                                                                                                                                                                                      Entropy (8bit):7.063446747051874
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:JyYOp5GLsHBRHWemMep166KmbVbNBIdsS:JROpILsH+Ma6LoJPgsS
                                                                                                                                                                                                                                      MD5:9A39ADC95FB1464D253A22DCC2DC14E5
                                                                                                                                                                                                                                      SHA1:6E34744D17C588A8E0F94869B03AB62D0F44E644
                                                                                                                                                                                                                                      SHA-256:6639E71FFEC722986995500ED8A380C4B3964136813809EC9D126C5CFCE87DA1
                                                                                                                                                                                                                                      SHA-512:644CB184A0B5B8E7190A6F130922B162CEDFCAE797746D7FB340B0F8C7BBAB05755E2CE97D4AA506A6CA39328900A98544B402CFF2ED4EB6552BD5441D0419FA
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:0..........0.....+.....0......0...0......E....1-Q...!..m....20250113190516Z0s0q0I0...+...........@..D3=?..Mn8...Q..E....1-Q...!..m..........-...P..@.Z....20250113190516Z....20250120190516Z0...*.H.................JbA.("2...mV1.!.....4LP.C.0..*........v..c.=...."...n.s.L..Z.c`..O|...Do.=...U..{7.d=.C...=...R.......^..dr...Q.?.|..FS.y..1.p1y.:.).2.?Ii...6.y..?..#..../.?>*)..c...[.(.@.V.^....^....5rP..e....g.T..@~3.=o.P......1...i..@rPh..PTC.8...2?@..gj..

                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):727
                                                                                                                                                                                                                                      Entropy (8bit):7.5079461125114415
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:5o6Tq9lc5h44TUq99LUkVAi1JT/wMyNCRC22+TB7CD7AXa73I3k02eeAS/W2EQWj:5kcoqPUFi1lwMys9ZCDV1e7iWGyZn
                                                                                                                                                                                                                                      MD5:1BB19C410E02CA6D5F8295A3FA85563E
                                                                                                                                                                                                                                      SHA1:285A640DFA6CCB9132CB7DBFAEBB14B237DAE87C
                                                                                                                                                                                                                                      SHA-256:ADFC1E9F6C3BECEBB814C57E5EA2FA8F5F4371BFCF4C1B7BAE1088A2B5F53566
                                                                                                                                                                                                                                      SHA-512:0734302FAE2DA55BF9E6574BC175CBA4BD0D53BF379A0799A2D90D3C0471529D219AE3CE08A4E22AF951DEDA73082BB5DD398B59ECE8725C15959E5D4BAFD51F
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:0..........0.....+.....0......0...0......h7..;._....a{..e.NB..20250113213701Z0s0q0I0...+.........]....^Idk...NG.X....h7..;._....a{..e.NB...(I.x...#...R....20250113212101Z....20250120202101Z0...*.H.................}..j5Or.3.ir......;H.......-~..)..CT......TS.i....!.........f..v.............<}.B....!...5..t........Rk(.a.......)<..|2...i.8.]..T}...S..P...A\.<i........,f...R....%'5.B.Qv..;.x..g...P.a.^".G..z..".*........R...M#.UNO...w-k.".l."(.S.~c>N.7Lb0.@7/}...5....9...........(...3g........#../.i.{.\.I.....T<........%%.P......)..P....i\.@T.H.....%..*....dXl3X.%...G........R\~7.I....7).1l.....i..a.~.oTk.....w.LZ...=(.r._..._XE.1]....t.I.>....H.iF....tR'.._....ax.?........7o...l.'e .

                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:Certificate, Version=3
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1716
                                                                                                                                                                                                                                      Entropy (8bit):7.596259519827648
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
                                                                                                                                                                                                                                      MD5:D91299E84355CD8D5A86795A0118B6E9
                                                                                                                                                                                                                                      SHA1:7B0F360B775F76C94A12CA48445AA2D2A875701C
                                                                                                                                                                                                                                      SHA-256:46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
                                                                                                                                                                                                                                      SHA-512:6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.|f..x8E0.O.cOL....SA|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):727
                                                                                                                                                                                                                                      Entropy (8bit):7.5280330787861836
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:5onfZfVc5RlRtBfQjcHsFBtOLw/VOZl+7e87auxjTe3zg4ElBSvwkNE:5iBVcdZA6MtOcOZlhklxj6guvNNE
                                                                                                                                                                                                                                      MD5:5C0AA48299F60746526052C72F06E161
                                                                                                                                                                                                                                      SHA1:1DD200CD75643C9EC75DCE015AE0736662E60E8D
                                                                                                                                                                                                                                      SHA-256:D49C0C053E9BD9660FEFC28B44EB51EB8042253F6728626EFB165F6064DE19CC
                                                                                                                                                                                                                                      SHA-512:2897E05D1903FF8ABD8D15E42E95704219488116CB2D307E1613EF0B5ECE1CD95F59AD817DE89B0106F555D80CA36B6519E890292E05BB84DFDDF848C6B13F5C
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20250113184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20250113184215Z....20250120184215Z0...*.H..............y#HU.............[>.. ..UB.\/.EG...:..?.fO:.F.'..)e/.._&..NA..".$.-.H._...8.s.'.......xx+..Q.....[=.8.."......RO.....Y... ^"....K/.?.I....;...p.i_.?....0..o......a...w/./|b5[dY.)z....g;.H....j6.n....?.ZB+.C..~.E.K.....:5..V$..S.."z.w5.DEj.P.....Qg...#.[....t%xN..zZ.S.L.L.Z.E..*-...Z*j.....?..........c.....%=.5<..8.[.....1...l...)|...T..A..s}..'...^..1.....z...!'.....T.&.x..c..D..2....lNq.a..h...E....-...q}!.8!..j4l..l}_0..V......m..O.PTO..$5...<.`.:..A......Q...=.v....;.g.

                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:Certificate, Version=3
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1428
                                                                                                                                                                                                                                      Entropy (8bit):7.688784034406474
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
                                                                                                                                                                                                                                      MD5:78F2FCAA601F2FB4EBC937BA532E7549
                                                                                                                                                                                                                                      SHA1:DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
                                                                                                                                                                                                                                      SHA-256:552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
                                                                                                                                                                                                                                      SHA-512:BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:0...0..x..........W..!2.9...wu\0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0...*.H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...s*n..|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0...*.H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):340
                                                                                                                                                                                                                                      Entropy (8bit):3.2507060390371376
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6:kKpXa5+7DNfUN+SkQlPlEGYRMY9z+s3Ql2DUeXJlOW1:RXtLkPlE99SCQl2DUeXJlOA
                                                                                                                                                                                                                                      MD5:0B25CF398ABEE2597E104D11375775B8
                                                                                                                                                                                                                                      SHA1:948372864AA1D07E7113E2EEF1DFB90E43F7FA9A
                                                                                                                                                                                                                                      SHA-256:2603123092ADF7CF765F6F68BC63737712B562A0A82FA09F3E95065AC28D57D0
                                                                                                                                                                                                                                      SHA-512:FEECA457F8E36C2DD1E4112A55DC64028DB4FD1E59667BC571939E02F1C853C4C0D7552EEA681672E2B58BA1F22F8244499A504FBADC98F0EEABC1AFDEE3C52E
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:p...... ........k..f..(....................................................... ........~..MG......&.....6.........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".0.6.c.f.c.c.5.4.d.4.7.d.b.1.:.0."...

                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):400
                                                                                                                                                                                                                                      Entropy (8bit):3.8272430154886816
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6:kKhTsXERkEW//bXlRNfOAUMivhClroFzCJCgO3lwuqDnlyQ4hY5isIlQhZgJn:ZTsURW1mxMiv8sFzD3quqDkPh8Y2ZM
                                                                                                                                                                                                                                      MD5:0677CFE969235EAE6A8A1FB3861F7D9B
                                                                                                                                                                                                                                      SHA1:3A53F8639472C7ED0D882DABF265684A768B7B2C
                                                                                                                                                                                                                                      SHA-256:FCDB2D134420AE7D3E94525BE6F063D3409E29EA08EDF173462354928FAC833F
                                                                                                                                                                                                                                      SHA-512:9A80DF09EA1BEB31204BB1519D4C5D90AFEDD9375CA91C92D2D003BBB94FFEC697F079E6D83152DBBB4594047DFD81E65B079BF4BFD6760DFDCAA9A9D4CCBB2D
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:p...... .............f..(....................e.....=nk.....................=nk.. ...............z...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.3.x.L.4.L.Q.L.X.D.R.D.M.9.P.6.6.5.T.W.4.4.2.v.r.s.U.Q.Q.U.R.e.u.i.r.%.2.F.S.S.y.4.I.x.L.V.G.L.p.6.c.h.n.f.N.t.y.A.8.C.E.A.6.b.G.I.7.5.0.C.3.n.7.9.t.Q.4.g.h.A.G.F.o.%.3.D...

                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):404
                                                                                                                                                                                                                                      Entropy (8bit):3.8378252126896775
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6:kK3ZR3St79/ofOAUMivhClroFHXHDZA6liyZlSlMul0bg3PWovy28lhl+KscSikl:fA/omxMiv8sF3HtllJZIvOP205scn8
                                                                                                                                                                                                                                      MD5:924D85CDB01F3113B5D8B9728CEC45B1
                                                                                                                                                                                                                                      SHA1:94F029C391F3FE5FA4DA0AF0F925CBAAF5035102
                                                                                                                                                                                                                                      SHA-256:50699D37427CDFBBBFCD6EFCC2C3F07EA48668C240D7355D983ED50E9094AE15
                                                                                                                                                                                                                                      SHA-512:BEDC6F2B03338398D9B52B70E1D86170053E312AECF07B76EEA5F37A2A6B778DEADB72C3B0BC9A6E81DF922035CE0453CA4001AC575E10D91D16012B3D76CA65
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:p...... .... ...k....f..(.................i..f.....xk.....................xk.. ...............5...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.R.X.e.r.F.0.e.F.e.S.W.R.r.i.p.T.g.T.k.c.J.W.M.m.7.i.Q.Q.U.a.D.f.g.6.7.Y.7.%.2.B.F.8.R.h.v.v.%.2.B.Y.X.s.I.i.G.X.0.T.k.I.C.E.A.o.o.S.Z.l.4.5.Y.m.N.9.A.o.j.j.r.i.l.U.u.g.%.3.D...

                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):308
                                                                                                                                                                                                                                      Entropy (8bit):3.2251877309802555
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:kkFkl3KikfllXlE/YuZ/RDvcalXl+RAIdA31y+NW0y1YboOai2WelVJUTMVDXlVn:kKccalgRAOAUSW0P3PeXJUwh8lmi3Y
                                                                                                                                                                                                                                      MD5:194AD705D9EE8F715E86674B9A7B6998
                                                                                                                                                                                                                                      SHA1:70D18436E5C37A5B0290F4867AB405FA1C85D225
                                                                                                                                                                                                                                      SHA-256:E697CA48FB3A2BD976301095C7B7FC9C3D7B691E5B37BD726E81061D6F7D39E6
                                                                                                                                                                                                                                      SHA-512:D3F69A36D700758A5A3C0E5465D6EB8F939EECE36DB66C490482B0AF5CDB05BF652EC1FB5AECE7065B3A3F366D517CF391617DCBD5AA1B24F19DAF96CB49EC5E
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:p...... ........".7..f..(....................................................... ........}.-@@...A..................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):412
                                                                                                                                                                                                                                      Entropy (8bit):3.8478751570282084
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6:kKtMaU8/AfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkrn:FMcomxMiv8sFBSfamB3rbFURMOlAkr
                                                                                                                                                                                                                                      MD5:CDE7DBFB3A19598AA7720F38A6596276
                                                                                                                                                                                                                                      SHA1:43F72DDCE0CA039FBAB9EFD71ABA8F9854B7C0CF
                                                                                                                                                                                                                                      SHA-256:B32E56AFD90DE88F12EF8912065E2A4BEA402D7195F4C105C5BFDDC5F5D1B9BB
                                                                                                                                                                                                                                      SHA-512:D71CA1316E717C471730D7F36D13DB0B69879C8CB8ECCB7150C5AE7656F75B5B4F968CED8C00E75B8A7AC3C907290164ABC34409A35E542069C465A766130088
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:p...... ....(.....F.f..(.................x..e....].kk....................].kk.. ...............@...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):254
                                                                                                                                                                                                                                      Entropy (8bit):3.077960441793651
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6:kKS1LDunhIjcalgRAOAUSW0PTKDXMOXISKlUp:mLcS4tWOxSW0PAMsZp
                                                                                                                                                                                                                                      MD5:3D25F43608B1F3F08353C2A7E71AE784
                                                                                                                                                                                                                                      SHA1:6EB308386DA3A57C3D8855D6A0C3E7EA57EB82E5
                                                                                                                                                                                                                                      SHA-256:7A933DB1596D57D424CD72B3FDB2624DA411E64A8AE58F56668AFF192838495B
                                                                                                                                                                                                                                      SHA-512:6A95E746AF8871D7397AFEF64F03EE8238420F7D0A1D5735DD9E3C4FDDEC9B813935B3D53BA52B24B2ADB9D33CDFA41CCBFDE04E8FC2F69BDB18AE9B245FCECB
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:p...... ....l......f..(....................................................... ............n...B..................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageADRemote.exe.log

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                                      Size (bytes):1950
                                                                                                                                                                                                                                      Entropy (8bit):5.344231540116017
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkCHKe6PfHKWA1eXrHKlT44HK28mHDp689:iqbYqGSI6oPtzHeqKkCq13qhA7qZ44qA
                                                                                                                                                                                                                                      MD5:2760599A0CED9D2591A6446C807AC183
                                                                                                                                                                                                                                      SHA1:707CA5CB792E58535BE74ACBDB629CD9A4837CF7
                                                                                                                                                                                                                                      SHA-256:E94621939545D2DFF125951E2C56BFB6B79C24D26744565CFA80D11875BB1D13
                                                                                                                                                                                                                                      SHA-512:6E510DCB3E81B1AE6910666FCADEAF9B40A8FEED3AD2F7F97D07BA428FA67348CFEDC3E55E12F43CAE5462243CBB42292F16570A696217F69F24369F040E078A
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\545a9409c1

                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1944
                                                                                                                                                                                                                                      Entropy (8bit):5.343420056309075
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:MxHKQg8mHDp684YHKGSI6oPtHTHhAHKKkhHNpaHKlT44HKmHKe60:iqzCYqGSI6oPtzHeqKkhtpaqZ44qmq10
                                                                                                                                                                                                                                      MD5:437E4DCFC04CB727093C5232EA15F856
                                                                                                                                                                                                                                      SHA1:81B949390201F3B70AE2375518A0FFD329310837
                                                                                                                                                                                                                                      SHA-256:5EADB9774A50B6AD20D588FDA58F5A42B2E257A0AA26832B41F8EA008C1EB96B
                                                                                                                                                                                                                                      SHA-512:0332C7E5205CF9221172473A841284487ACC111780A58557231FCDE72A5EDB7E7E3EF6C87AB9682A688BC24992A74027F930267B541039BD8757EEF4E2F51A0E
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.

                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageHeartbeat.exe.log

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1795
                                                                                                                                                                                                                                      Entropy (8bit):5.353901281631376
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:MxHKQwYHKGSI6owHptHTHhAHKKk+HKlT44HKmHKe6SHj:iqbYqGSI6owJtzHeqKk+qZ44qmq1SD
                                                                                                                                                                                                                                      MD5:B755B91A4B1975EEECAAD18CEC1DF3E3
                                                                                                                                                                                                                                      SHA1:F286D733AF1945DFAD663A86D727786772EADB44
                                                                                                                                                                                                                                      SHA-256:E85903F93B42B19B0BDD924D2B226C85AC81B0ADD69575FC4BEBDA80ACE604C8
                                                                                                                                                                                                                                      SHA-512:8657703D5CB7D5D116FDD01E4D948B9B22EBFC82DFF103335C9BFB1C03E797744AA0388583385B07902188ACF1E558F81399B7627AD54291E6007358BFE83CBD
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.Http\f4b68470ad08185826d827aa6e7875b6\System.Net.Http.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.X

                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1983
                                                                                                                                                                                                                                      Entropy (8bit):5.345248756179348
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKksHVsHT6HNHOHKCHKlT40HKe60:iqbYqGSI6oPtzHeqKks1sz6tuqCqZ40T
                                                                                                                                                                                                                                      MD5:F974F0FCD981AC0581C5498C0155EF91
                                                                                                                                                                                                                                      SHA1:0CF6D5F41937B296EF9D37FC90E56EC8458B96DF
                                                                                                                                                                                                                                      SHA-256:500B63AEC50B89EF4CEC9ED49E53D168CDC35D235CB416B84234D3E45F3AC365
                                                                                                                                                                                                                                      SHA-512:1484917CC2A8E88DD4010FEE60394BD974D5C44ED0482DAD64B06A319E1F7E414321B8BDB06C6DE70152CFEA887BBDEFD2F2689C077251E8D2BBC9448FBF8719
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runtime\2702

                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                                      Size (bytes):3043
                                                                                                                                                                                                                                      Entropy (8bit):5.361093730986187
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKk9HVsHUHhHKe6PfHKWA1eXrHKlT4d6HNHGHPmHKm:iqbYqGSI6oPtzHeqKk91s0Bq13qhA7qp
                                                                                                                                                                                                                                      MD5:7FBB3BC293626F02EEE5D12A2FC44FE7
                                                                                                                                                                                                                                      SHA1:A736DE9B60CEC25864AE995EF046F3F317B5D1AC
                                                                                                                                                                                                                                      SHA-256:B6ED7FB8E1D3A5AB9858099700CDA16766D6F442587CD6F965815CF8AFC1444D
                                                                                                                                                                                                                                      SHA-512:C175AF1525508EEA8DEAE8BE67E4780922492B3D01ACDB36B43220DE5B57898F10558F80C5D6218B61A236D35C41047527C6AD00770F477E23507AAEA7EF2000
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.Http\f4

                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                                      Size (bytes):1933
                                                                                                                                                                                                                                      Entropy (8bit):5.381647656863045
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkCHKe6PfHKWA1eXrHKlT4fHeHK/:iqbYqGSI6oPtzHeqKkCq13qhA7qZ4f+m
                                                                                                                                                                                                                                      MD5:52CDAA83C48EDB391B9D77AE080A7F05
                                                                                                                                                                                                                                      SHA1:BC3E421F10517820F55349F0C636CE6F5AC43D25
                                                                                                                                                                                                                                      SHA-256:CC4BC1EB52CD4548732E5120182DE3E3B7F5D9191BAF7B0D40DF17D30D0C0D5C
                                                                                                                                                                                                                                      SHA-512:FDFA5A33A156B89D4772A5A503ECD01B5780CD88B2286FDD0DFA47477A7EF58C5F5720CA591A7F27014AB5ED7A6CE3CDA0E71CD329332498F207AC4439626813
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\545a9409c1

                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageProgramManagement.exe.log

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2281
                                                                                                                                                                                                                                      Entropy (8bit):5.369081487433356
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKk+HKlT44HKmHKe6+JHxLHqHvHltOoHKkHK/:iqbYqGSI6oPtzHeqKk+qZ44qmq1IRLKC
                                                                                                                                                                                                                                      MD5:531A6F5E28B9249E42480323376AFFAA
                                                                                                                                                                                                                                      SHA1:F812EDC75EB6895946F1DEE24EDEFFA60F8EF190
                                                                                                                                                                                                                                      SHA-256:80BA3C0CDB6BDC36347B1CE852FD6E3CA4A6B3C92C204A7D974689604A662C28
                                                                                                                                                                                                                                      SHA-512:1476EE8202DBE0BABE0001318CF368028E2F103CAF8D77F4B526ADD0EEB314F7E8B68AECD25EBADDEF7A67632865DCDF2AB3C5C3C08AA245780895BBF5F60BF7
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\Syste

                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1716
                                                                                                                                                                                                                                      Entropy (8bit):5.341926971773382
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkWHKCHKlT40HKe60HNpv:iqbYqGSI6oPtzHeqKkWqCqZ40q10tpv
                                                                                                                                                                                                                                      MD5:063D709F01B78478C26522681AF5097D
                                                                                                                                                                                                                                      SHA1:A6B4619D729EE3FA6206B74DB2699DD676470E20
                                                                                                                                                                                                                                      SHA-256:C5E8941B824143B5F0477345582F8495B4EECF7901145EA6085FB36B57B64D39
                                                                                                                                                                                                                                      SHA-512:C6C15C1655E42EEE66F0B5397E25691EE836B0095FDD3C5D202DF06855AFED2FE57CFA094DEE9C5327CDC27A8AEFD532A50638B2DEDA9A3B57B6EBE6AC3EB847
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Numerics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ce

                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageTicketing.exe.log

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1499
                                                                                                                                                                                                                                      Entropy (8bit):5.341844552740347
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUN+E4KlOU4mHE4KXWE4Ke60:MxHKQwYHKGSI6oPtHTHhAHKKk+HKlT4A
                                                                                                                                                                                                                                      MD5:1F102800C2B4B52354570886D784EA54
                                                                                                                                                                                                                                      SHA1:B84148B4A84AF5669134EB9EC27904A05E2517D2
                                                                                                                                                                                                                                      SHA-256:8367F22954F447B469ED78A27028539219651BEB79AFF371045A3347E99B906A
                                                                                                                                                                                                                                      SHA-512:AE4C42696AC5C7F532820D0B5D2412FEAEE4641884B189559C25989E013E09D799C10C98DDC6813D9F7C76A475C34DF8A48BAFC2F5D17708CF5440F931D1CE0A
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\Syste

                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1075
                                                                                                                                                                                                                                      Entropy (8bit):5.353521172341231
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNa8mE4Dp689:MxHKQwYHKGSI6oPtHTHhAHKKka8mHDpN
                                                                                                                                                                                                                                      MD5:BDADAD127D5A6079C29C0C870A5C3C2C
                                                                                                                                                                                                                                      SHA1:AD5D30886AE959F271CF777D386A31CD792C9A64
                                                                                                                                                                                                                                      SHA-256:7186B9EAC66BD83E5E1C050D81529BC68511538118E65019EBECFD952C22FD55
                                                                                                                                                                                                                                      SHA-512:198087F52C39A32ACE7A90E9212C2AA0F31EDF8349773C8C6C5495CA82C890F9A8A44356AC5AEBB42F3342E6BE981DC4BCFE1D7FB43760745D7240A117257725
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv7

                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):64
                                                                                                                                                                                                                                      Entropy (8bit):0.34726597513537405
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Nlll:Nll
                                                                                                                                                                                                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:@...e...........................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\AteraSetupLog.txt

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):225724
                                                                                                                                                                                                                                      Entropy (8bit):3.7819224345988682
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:wr/g/5muN9MjWCQWMjjl6BA+hbm87yHxC4:WjVIjXX
                                                                                                                                                                                                                                      MD5:19F4307A797C5987F33C6D2CF56EA061
                                                                                                                                                                                                                                      SHA1:99F0586E00E6F70EF7C585519A33DDAA54F73E67
                                                                                                                                                                                                                                      SHA-256:51A829854CFE015562D53CE7CCA5BF754364D184B03C1212B8268EA3EE562155
                                                                                                                                                                                                                                      SHA-512:F1C770BE1E5F732E9FF80C40D55FB2D1A9A72F1C2484480F06EC58133BA8677651289004A21DF1166687D499EAD02466E74F1992470CACEFB25D16ED30C0A285
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\AteraSetupLog.txt, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.4./.0.1./.2.0.2.5. . .1.3.:.3.5.:.0.8. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.8.8.:.C.C.). .[.1.3.:.3.5.:.0.8.:.1.3.4.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.8.8.:.C.C.). .[.1.3.:.3.5.:.0.8.:.1.3.4.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.8.8.:.C.C.). .[.1.3.:.3.5.:.0.8.:.1.3.4.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.W.i.n.d.o.w.s.\.T.E.M.P.\.a.t.e.r.a.A.g.e.n.t.S.e.t.u.p.6.4._.1._.8._.7._.2...m.s.i..... . . . . . . . . . . .*.*.*.*.*.*.*. .A.c.t.i.o.n.:. ..... . . . . . . . . . . .*.*.*.*.*.*.*. .C.o.m.m.a.n.d.L.i.n.e.:. .*.*.*.*.*.*.*.*.*.*.....M.S.I. .(.c.). .(.8.8.:.C.C.). .[.1.3.:.3.5.:.

                                                                                                                                                                                                                                      C:\Windows\Temp\Microsoft_.NET_Runtime_-_8.0.11_(x64)_20250114133539_000_dotnet_runtime_8.0.11_win_x64.msi.log

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):483600
                                                                                                                                                                                                                                      Entropy (8bit):3.846513546806107
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:iuDNLWcX+9nFNUsZomwL5flTNtjghstV1wbanSAfF/3jxL4j70KefiIC71i2FWcQ:Rj/Ky
                                                                                                                                                                                                                                      MD5:F76397D55EFFD3C71060019F7D88E621
                                                                                                                                                                                                                                      SHA1:500D29706108CE1E80197EE96245F88A245788C6
                                                                                                                                                                                                                                      SHA-256:F5E98ADEBC8FA9507973802012AF4D21D21DDBFA3687A31DFD2D846563314B71
                                                                                                                                                                                                                                      SHA-512:6E3A3F2C777E27A58D3AB15B6FAA77ED8B4B7EE8DCC28C7CE1967BE77F1A7D847EEDF520E78C79A55532E1F8D406BBA56599B51D899E74D4BBF879E5483C626E
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_8.0.11_(x64)_20250114133539_000_dotnet_runtime_8.0.11_win_x64.msi.log, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.4./.0.1./.2.0.2.5. . .1.3.:.3.5.:.4.0. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.3.7.2.0.D.F.A.6.-.F.0.2.1.-.4.6.7.9.-.B.1.2.1.-.5.6.C.0.8.8.6.B.3.8.4.1.}.\...b.e.\.d.o.t.n.e.t.-.r.u.n.t.i.m.e.-.8...0...1.1.-.w.i.n.-.x.6.4...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.8.0.:.E.0.). .[.1.3.:.3.5.:.4.0.:.4.3.8.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.8.0.:.E.0.). .[.1.3.:.3.5.:.4.0.:.4.3.8.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.8.0.:.E.0.). .[.1.3.:.3.5.:.4.0.:.4.3.8.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.9.C.8.0.2.1.3.E.-.9.0.7.9.-.4.5.6.1.-.8.D.5.7.-.1.F.D.D.0.D.6.2.2.5.1.F.}.v.6.4...4.4...2.3.1.9.1.\.d.o.

                                                                                                                                                                                                                                      C:\Windows\Temp\Microsoft_.NET_Runtime_-_8.0.11_(x64)_20250114133539_001_dotnet_hostfxr_8.0.11_win_x64.msi.log

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (401), with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):99342
                                                                                                                                                                                                                                      Entropy (8bit):3.7904179473391983
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:6ZIua0+xW324MRhr530YjkrPWzUdthUccccccccccjLp8ZsvYn:Ljhg
                                                                                                                                                                                                                                      MD5:09FB0CB4207120F703C8DAE11E994978
                                                                                                                                                                                                                                      SHA1:ECBDE6D3492381D75F0251A4B29F2E8FBDBA12F8
                                                                                                                                                                                                                                      SHA-256:888B74AD0B165AEEF2888C22EE859C26F8506A31799B469C8BC77640B79132D8
                                                                                                                                                                                                                                      SHA-512:A788B348C5E70E38D74E3C4C210393905F0FBF4E68D07ACD52D6C3D59F3523A817A97BD1B4FE8DE0B3F59B6DAABFF17AADC47EAB3CEB1909B94C4B7D45B8DAA5
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_8.0.11_(x64)_20250114133539_001_dotnet_hostfxr_8.0.11_win_x64.msi.log, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_8.0.11_(x64)_20250114133539_001_dotnet_hostfxr_8.0.11_win_x64.msi.log, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.4./.0.1./.2.0.2.5. . .1.3.:.3.5.:.5.1. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.3.7.2.0.D.F.A.6.-.F.0.2.1.-.4.6.7.9.-.B.1.2.1.-.5.6.C.0.8.8.6.B.3.8.4.1.}.\...b.e.\.d.o.t.n.e.t.-.r.u.n.t.i.m.e.-.8...0...1.1.-.w.i.n.-.x.6.4...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.8.0.:.6.4.). .[.1.3.:.3.5.:.5.1.:.7.0.4.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.8.0.:.6.4.). .[.1.3.:.3.5.:.5.1.:.7.0.4.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.8.0.:.6.4.). .[.1.3.:.3.5.:.5.1.:.7.0.4.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.F.5.9.C.1.1.F.0.-.D.7.3.F.-.4.5.2.B.-.8.D.1.D.-.8.C.3.3.B.8.2.D.8.5.0.7.}.v.6.4...4.4...2.3.1.9.1.\.d.o.

                                                                                                                                                                                                                                      C:\Windows\Temp\Microsoft_.NET_Runtime_-_8.0.11_(x64)_20250114133539_002_dotnet_host_8.0.11_win_x64.msi.log

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (386), with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):109632
                                                                                                                                                                                                                                      Entropy (8bit):3.79245541974904
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3072:A8F8SUOB/73JEJEtG8jjIl2TneoVTxudQnJG0kM:bjIE
                                                                                                                                                                                                                                      MD5:F2F0F0215BDD660CF33A6EFD7C3A3DE4
                                                                                                                                                                                                                                      SHA1:F0B891DF7895ACE66F87C37087F4F8196CAB1DF2
                                                                                                                                                                                                                                      SHA-256:983F3743015AE5B81BAD32743BF5A66EA4E1D5DB582CCFBDAC7D260C48880032
                                                                                                                                                                                                                                      SHA-512:46CA82BB69D6C51F64AB958EFE8209A89C084635FD7957F6AF3E9E1451FC789F67D4F8F363FEAEE99F033AAB9F8EDEC846CD37483CB34E3A7C77AB82EFEE9289
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_8.0.11_(x64)_20250114133539_002_dotnet_host_8.0.11_win_x64.msi.log, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.4./.0.1./.2.0.2.5. . .1.3.:.3.5.:.5.2. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.3.7.2.0.D.F.A.6.-.F.0.2.1.-.4.6.7.9.-.B.1.2.1.-.5.6.C.0.8.8.6.B.3.8.4.1.}.\...b.e.\.d.o.t.n.e.t.-.r.u.n.t.i.m.e.-.8...0...1.1.-.w.i.n.-.x.6.4...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.8.0.:.E.8.). .[.1.3.:.3.5.:.5.2.:.8.1.3.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.8.0.:.E.8.). .[.1.3.:.3.5.:.5.2.:.8.1.3.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.8.0.:.E.8.). .[.1.3.:.3.5.:.5.2.:.8.1.3.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.3.6.2.B.4.D.0.D.-.8.4.3.8.-.4.4.D.A.-.8.6.B.2.-.F.E.C.4.4.E.0.0.0.F.C.A.}.v.6.4...4.4...2.3.1.9.1.\.d.o.

                                                                                                                                                                                                                                      C:\Windows\Temp\PreVer.log.txt

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):4332
                                                                                                                                                                                                                                      Entropy (8bit):3.664026635145355
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:96:YPG+8bjJbf5b2bDOgb+bwb9fb8fnbetJdbe+681czd1czJfN7eIieb+tJwpF95n8:r9JVSnOg60ZfyynCbIlbjr9Z8
                                                                                                                                                                                                                                      MD5:BB4F4D2562D59A1D7A1FB8FC6927139B
                                                                                                                                                                                                                                      SHA1:10686A4C49E7BA8418E72F75CA717C1AA5693082
                                                                                                                                                                                                                                      SHA-256:0A4EA7B535E46720085EF0C5DBFAC7D3B40E569192566F30AE49B4A4C9DE188B
                                                                                                                                                                                                                                      SHA-512:5E9AF239379ACC17FC046F76F5A3ABA25A925F6E05B4D0BDD8FD87529993D0D75C481E20D3643A9AA539FC975C4C58ECE5232D5B32F770A1F943E6F54B00070A
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.4./.0.1./.2.0.2.5. . .1.3.:.3.5.:.2.1. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.5.4.:.F.4.). .[.1.3.:.3.5.:.2.1.:.2.3.5.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.5.4.:.F.4.). .[.1.3.:.3.5.:.2.1.:.2.3.5.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.5.4.:.F.4.). .[.1.3.:.3.5.:.2.1.:.2.3.5.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .s.e.t.u.p...m.s.i..... . . . . . . . . . . .*.*.*.*.*.*.*. .A.c.t.i.o.n.:. ..... . . . . . . . . . . .*.*.*.*.*.*.*. .C.o.m.m.a.n.d.L.i.n.e.:. .*.*.*.*.*.*.*.*.*.*.....M.S.I. .(.c.). .(.5.4.:.F.4.). .[.1.3.:.3.5.:.2.1.:.2.3.5.].:. .C.l.i.e.n.t.-.s.i.d.e. .a.n.d. .U.I. .i.s. .n.o.n.e. .

                                                                                                                                                                                                                                      C:\Windows\Temp\SplashtopStreamer.exe

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):56907920
                                                                                                                                                                                                                                      Entropy (8bit):7.937481143445435
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:1572864:xnOdpvYs+cvrrjOAYfDJnEAOns5w5k8BzFl73BuvH:xQNLOAYfzOBO8B3dmH
                                                                                                                                                                                                                                      MD5:9CD6BA3AD27DAC967F073CBCAD88FEF9
                                                                                                                                                                                                                                      SHA1:FFE503C57539FD91A2F09EFE8FA44958AD96B4A2
                                                                                                                                                                                                                                      SHA-256:248E1FC6DF40583AF705BB617F402092F1943F27416F5557AC9CEFE284761019
                                                                                                                                                                                                                                      SHA-512:A9DA38896354174DED6A1D2AE548A5A797F6BF2A6CA6C8519FC2ED704C39E2D36E916FCB70FE3BB98201C5EB91667CD7D752BD07B4FFC1575526FF87FDBCFFCA
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........{F~.(F~.(F~.(O.8(U~.(F~.(.|.(O.>(\~.(O.((.~.(O./(.~.(O.!(A~.(O.?(G~.(O.:(G~.(RichF~.(................PE..L.....Gg............................./............@.................................Rwd.............................................. ..(............0d..(..........`................................i..@...................D........................text............................... ..`.rdata..............................@..@.data....^......."..................@....rsrc...(.... ......................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\__PSScriptPolicyTest_0bou0w2g.ptw.psm1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Windows\Temp\__PSScriptPolicyTest_0bwhfw5w.txi.psm1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Windows\Temp\__PSScriptPolicyTest_c4ntanhp.nm2.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Windows\Temp\__PSScriptPolicyTest_cjagmygo.enz.psm1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Windows\Temp\__PSScriptPolicyTest_elero23e.rcw.psm1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Windows\Temp\__PSScriptPolicyTest_enn2xqfy.gti.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Windows\Temp\__PSScriptPolicyTest_jjluihlb.owq.psm1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Windows\Temp\__PSScriptPolicyTest_kjwlb1xb.o2b.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Windows\Temp\__PSScriptPolicyTest_opr3ty3h.m13.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Windows\Temp\__PSScriptPolicyTest_pt0q0zbj.fb2.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Windows\Temp\__PSScriptPolicyTest_qfdogh1f.er3.ps1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Windows\Temp\__PSScriptPolicyTest_r2g31xug.rh3.psm1

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                      C:\Windows\Temp\ateraAgentSetup64_1_8_7_2.msi

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):2994176
                                                                                                                                                                                                                                      Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                      MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                      SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                      SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                      SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF01213D2747E000FB.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):0.07797218943672189
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOClsplzzhU+PQjgVky6lW:2F0i8n0itFzDHFCel9YXW
                                                                                                                                                                                                                                      MD5:4EC4E492EBEB753C4F915B31950AC8D0
                                                                                                                                                                                                                                      SHA1:BAB5F87173442D8517A72AC17FF1B1FEA71FD97E
                                                                                                                                                                                                                                      SHA-256:0131417FA5FCD6603F9E5C496DCDE4DA9F61E0231178304D3D6F24C1BF820498
                                                                                                                                                                                                                                      SHA-512:BF6FAAA6126B3844CD53371FF6729E23BF760ECC498BF1A86D5DA873B35BF7F41AE58C91F030A90D03789B50A59A5A92424B71795D4EE576B11C6A7A342C1046
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF031E6A2EADC2E3D5.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):69632
                                                                                                                                                                                                                                      Entropy (8bit):0.14478149310350238
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:04l5rEuSsndYSjnd/EqdGUDjxbQzgWxdv4rByr:BljWI3DtChbgrEr
                                                                                                                                                                                                                                      MD5:EC83698CC6969D1A6F73090780C1B01C
                                                                                                                                                                                                                                      SHA1:D7C2FF38F62EE31924713224D45142633DF7A369
                                                                                                                                                                                                                                      SHA-256:0775D8572557A10F65488E3A9A7F46D2329417DA9C3F21E039D0E5F68DBE3FA3
                                                                                                                                                                                                                                      SHA-512:1C7975AF53C20BD272203965EBC2222BD6C040C3D3547BEF01B80DDF7BEB94AC5BF0C3B9908278EDD8C3949B532D80BBACA591F242D43F2FE2ABEB92A8C263E2
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF031E6A2EADC2E3D5.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF03DAE23EAFCC3585.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                      Entropy (8bit):1.619553738010167
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:qi8PhPuRc06WXJEjT5fDgDqISoedvPdvbCnuhnq9On8H0dStedvPdvxubS:qNhP1HjThDRIciuBuOWC4
                                                                                                                                                                                                                                      MD5:D40C9733092035B36C824AEFE84FD51F
                                                                                                                                                                                                                                      SHA1:96036F43B46E67A7126E5481CD5D3E3A9FE8FB84
                                                                                                                                                                                                                                      SHA-256:E8F21ABB59C1BE1323D13E589D9644D905ACA4088FDE1DA93F2B0EB8B10CA39C
                                                                                                                                                                                                                                      SHA-512:2F592349105386EA075B2F2F531303DDB0224A32EBE7F1C9FF51D04F469E60C4E2B13A32574263178E7F961B09E7F4AA921D6C4AC17E5AA4380B755F1C977ACA
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF03DAE23EAFCC3585.TMP, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF03DAE23EAFCC3585.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF054EC9708ECC65E9.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF05B3DF4A9D94B05D.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):1.2817269049549629
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:shmulth8FXznT5KhdL4ByWgeSjndd4d/Eqdmx4bQySsndd4dNWeUJmRb:UmhJTQLL4EW39ZZNXeJt
                                                                                                                                                                                                                                      MD5:E708116C399E3A54623093BC80A898CD
                                                                                                                                                                                                                                      SHA1:DC89491C4955FF0EE3E0633FE003B345ED50F251
                                                                                                                                                                                                                                      SHA-256:08FEF808209D6E3B53DD736B91845D30A7CA90F8B6379CB7DEE2E4F339E66E7F
                                                                                                                                                                                                                                      SHA-512:09655ED08D5BA31D7E98DA9815BDF00E259484A13AEB5B61A308325689194FF3C0386005D6127F3FD3559441F9498BC36B7AA8C990095FDE6C4B711F65B9DBC3
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF0BCF14A4DB6997D2.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF0FC8039C7B9CAF59.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):1.279957365545884
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:qhwu3th8FXznT5CtdL4ByWg6Sjndd4d/EqdGUDjxbQSSsndd4dXE8Rb:Sw3JTY/L4EWr93DtNgt
                                                                                                                                                                                                                                      MD5:7A9EDD0951592FFA0DCA23B803502F1F
                                                                                                                                                                                                                                      SHA1:06B9D40EF7BB1C855053C829B24FE957375F9177
                                                                                                                                                                                                                                      SHA-256:8607F21308E08A06F6BD3A1CACF44A3A024C51CB7D42F3A2224FE6CEC35B28A7
                                                                                                                                                                                                                                      SHA-512:2030F7087AB8164AB741F52399DDA258AF0FBDC800DA38F101A6050C5CA0DCD66A38D03D390C1984A317F39E019FF74B370D5A2711B05DFFD256CABD07A003F4
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF0FC8039C7B9CAF59.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF10A27FD1D0C7C5C7.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):0.0700353123605364
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOYg/wQUDqzKTIqVky6lf1:2F0i8n0itFzDHFYkJ0gTd
                                                                                                                                                                                                                                      MD5:9389D3C68B1F46EAFCD8C9C58A4820BE
                                                                                                                                                                                                                                      SHA1:7854F00E676834AFC64CCB236997D9B9BD5D248A
                                                                                                                                                                                                                                      SHA-256:536E14230D5B6B5C9B29BDE7F8549B299BD9277E5ADD446600DF3D8701C45F1C
                                                                                                                                                                                                                                      SHA-512:074658CC3AF59156CC5CD19FD3370D9FFC7ADCA4575A866F43037AD0699ECBCB6E62CDBB89DED2A546F933E1801791388DB2A2041A2BAF86D4639E1DFD33E6B5
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF1184479AA64C69D9.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF19F6CA16E441F4BA.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                      Entropy (8bit):1.5699733423949185
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:o8PhFuRc06WXzcjT5Hqdv4rByKgWRSjnd/EqdGUDjxbQ6Ssnd/E85f4:3hF1BjTZGgrEKhRI3DtNP6
                                                                                                                                                                                                                                      MD5:1461513C9C2C55C3EB648F532A992F46
                                                                                                                                                                                                                                      SHA1:4BD49792113207552E8BF772D7CD31327E77EE54
                                                                                                                                                                                                                                      SHA-256:DED77834168705883B9D99AF42A564C62E810891566C80AC9536FBE1BFB249D3
                                                                                                                                                                                                                                      SHA-512:5B27C8FAA76B0527554D5B32B1053FE97797F8EB1EED4AD3B19D03CF3BD24E5A0ED98DEEF484F5D8117513E4BAB3465BD1161D9A13E84B4578FECB8A9AA48345
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF19F6CA16E441F4BA.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF1A91272EDBFF3922.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF1F0D1A244819E315.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):1.277611664348115
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:yOLuXrh8FXz3T5bMMdtBvgF6SjndddwEqdGUDjxbQiSsndddSE8d:1LlJTVMstJA6f3DtNa
                                                                                                                                                                                                                                      MD5:F4573ED35BB232F27B768A35AAA787B9
                                                                                                                                                                                                                                      SHA1:074744F15E8A3446E278B0D16BE1234959516B56
                                                                                                                                                                                                                                      SHA-256:D5648E3078754A7C5C363E11326B08029A07107D4479328642436A6F84633510
                                                                                                                                                                                                                                      SHA-512:E77803C3036F0E0907A1D3F7492C9B22B8BFD8BBFAF2406A8E94E850FEF2C66440B07691D5A776C615C2B34A7D6CF6091A3B1CC85C9798DE2480D96C2A54CD8A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF1F0D1A244819E315.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF231EABADB415C089.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF2539C923E5C78A73.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF29666D9E579F5D56.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF2BA1BF1BCDB9F393.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF330515E7C2838D1E.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):1.277611664348115
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:yOLuXrh8FXz3T5bMMdtBvgF6SjndddwEqdGUDjxbQiSsndddSE8d:1LlJTVMstJA6f3DtNa
                                                                                                                                                                                                                                      MD5:F4573ED35BB232F27B768A35AAA787B9
                                                                                                                                                                                                                                      SHA1:074744F15E8A3446E278B0D16BE1234959516B56
                                                                                                                                                                                                                                      SHA-256:D5648E3078754A7C5C363E11326B08029A07107D4479328642436A6F84633510
                                                                                                                                                                                                                                      SHA-512:E77803C3036F0E0907A1D3F7492C9B22B8BFD8BBFAF2406A8E94E850FEF2C66440B07691D5A776C615C2B34A7D6CF6091A3B1CC85C9798DE2480D96C2A54CD8A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF330515E7C2838D1E.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF341009A2A47306D5.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                      Entropy (8bit):1.6068265618279611
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:L8PhuuRc06WXzmFT5DhdL4ByWgeSjndd4d/Eqdmx4bQySsndd4dNWeUJmRb:yhu1bFT9LL4EW39ZZNXeJt
                                                                                                                                                                                                                                      MD5:6295AC64B79C7171926BD86978D76018
                                                                                                                                                                                                                                      SHA1:2FA4C4F76155EB7ACDC500F9DB6C86B73D4B47DA
                                                                                                                                                                                                                                      SHA-256:A6235D80DA7CEED38529BBF34482E991DEB52340D1E8D58574FA942A09C67004
                                                                                                                                                                                                                                      SHA-512:ED56863313F61287F67CB8037FFA39A237889B5B632C7906A00A882DB591BBD799275567015C166BB9330DBB60BF4D7C891FC61D6FABF943F79F974960139173
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF37BBEDC5FBB8E422.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                      Entropy (8bit):1.6068265618279611
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:L8PhuuRc06WXzmFT5DhdL4ByWgeSjndd4d/Eqdmx4bQySsndd4dNWeUJmRb:yhu1bFT9LL4EW39ZZNXeJt
                                                                                                                                                                                                                                      MD5:6295AC64B79C7171926BD86978D76018
                                                                                                                                                                                                                                      SHA1:2FA4C4F76155EB7ACDC500F9DB6C86B73D4B47DA
                                                                                                                                                                                                                                      SHA-256:A6235D80DA7CEED38529BBF34482E991DEB52340D1E8D58574FA942A09C67004
                                                                                                                                                                                                                                      SHA-512:ED56863313F61287F67CB8037FFA39A237889B5B632C7906A00A882DB591BBD799275567015C166BB9330DBB60BF4D7C891FC61D6FABF943F79F974960139173
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF3DDFFD3B292A498A.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):1.2300751780189139
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:uVUuKJveFXJfT5TDg6/KMqISoedGPdGTWaStedGPdGTn:CU4HTVDF/K5IeD
                                                                                                                                                                                                                                      MD5:D538042022EB1594160098D19EC01842
                                                                                                                                                                                                                                      SHA1:36BC336FAD847A000E5A1AEDCFB675EE81BBC2A5
                                                                                                                                                                                                                                      SHA-256:0AFF3655B3090A14E1469502C6ABD0F82764778BA1D6FC788417A9395FCDEFA5
                                                                                                                                                                                                                                      SHA-512:A7DF62B83B1F075391759C0B6B2DCDF56B9F14C0611084253810565B04BD7D563BA0F8A95C86CE42BA5688675AA0CA0BA8B8B436B4D3DD185606B3F384C1D546
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF3DDFFD3B292A498A.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF41B147236BD21000.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF44D96E07E9A5473B.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):69632
                                                                                                                                                                                                                                      Entropy (8bit):0.14074279545805213
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:CnVubmStedGPdGeqISoedGPdGfoBrY3gV:icyLIA
                                                                                                                                                                                                                                      MD5:35AC06B85B994B90FAD63726BA6AEBD9
                                                                                                                                                                                                                                      SHA1:3BDC0C7C123D62C8FB05151D9C054FF31DFE9ED6
                                                                                                                                                                                                                                      SHA-256:89D5421180DAF85039990CD666955D7F4A8A54BD4C6AF61A7B45FDAAD1530352
                                                                                                                                                                                                                                      SHA-512:D14E98FD84BA17993BF94E9392D5FD563840419C59A8F8F2A0B42D66F27DB8A555D705830E02A026043DC4B6C0848BBB07984EA61DC7F0DCFA233E18CBDBB08C
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF44D96E07E9A5473B.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF47CDAC368E11675F.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                      Entropy (8bit):1.6001674487988775
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:Fh8PhTuRc06WXzcjT5CMdtBvgF6SjndddwEqdGUDjxbQiSsndddSE8d:F8hT1BjTcstJA6f3DtNa
                                                                                                                                                                                                                                      MD5:B9F2FB68B7A881ACC5870238BC8FE5BF
                                                                                                                                                                                                                                      SHA1:21AE37CB68AF8E1B198CFA81BDA49B91BDAADFE7
                                                                                                                                                                                                                                      SHA-256:8DD2A6081B3A87E97E5A5F15C544E3A31294FC9DBC49F6BB480AC6A9AE9D0505
                                                                                                                                                                                                                                      SHA-512:00975EE3D3260B752559196597633B9F943999D60BBEC99243637C8AEC940FB0A83FEDC087EB2261B0BC0CFAF8EADE15793D7A813849D6BB06ED7CFA9F21CF88
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF47CDAC368E11675F.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF49FA946339BE9BCC.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):1.277611664348115
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:yOLuXrh8FXz3T5bMMdtBvgF6SjndddwEqdGUDjxbQiSsndddSE8d:1LlJTVMstJA6f3DtNa
                                                                                                                                                                                                                                      MD5:F4573ED35BB232F27B768A35AAA787B9
                                                                                                                                                                                                                                      SHA1:074744F15E8A3446E278B0D16BE1234959516B56
                                                                                                                                                                                                                                      SHA-256:D5648E3078754A7C5C363E11326B08029A07107D4479328642436A6F84633510
                                                                                                                                                                                                                                      SHA-512:E77803C3036F0E0907A1D3F7492C9B22B8BFD8BBFAF2406A8E94E850FEF2C66440B07691D5A776C615C2B34A7D6CF6091A3B1CC85C9798DE2480D96C2A54CD8A
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF49FA946339BE9BCC.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF4A9B0122800A0CCD.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF4B174E58E11644A7.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF505B9DA8AB49E8F7.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                      Entropy (8bit):1.6033558346006964
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:T8Ph4uRc06WXzmFT5ztdL4ByWg6Sjndd4d/EqdGUDjxbQSSsndd4dXE8Rb:6h41bFT9/L4EWr93DtNgt
                                                                                                                                                                                                                                      MD5:34AC45BF94A16FAB4FEA5BE3F008937B
                                                                                                                                                                                                                                      SHA1:CADEF100E7D8E2770C1E44ABE836A5AB10EE5F43
                                                                                                                                                                                                                                      SHA-256:6FFED22063C531A1F7098E14897380F195527CA766B1DA9C966FAA43BC0D0776
                                                                                                                                                                                                                                      SHA-512:9D4D2058D668DB8E539C993FFE8BA687412E2373D6CB3A63266033A632B8E8BB51BF0AD9E4A97090BDC309175A268A3FFB0D5DC858058AF931443914A8250AF4
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF505B9DA8AB49E8F7.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF50DDB4410769EE1D.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):49152
                                                                                                                                                                                                                                      Entropy (8bit):1.000276175910158
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:oMMXukJveFXJfT5ppDgDqISoedvPdvbCnuhnq9On8H0dStedvPdvxubS:gXaHTnpDRIciuBuOWC4
                                                                                                                                                                                                                                      MD5:C0EEBC4F25B7F48E9587ADBCC539B199
                                                                                                                                                                                                                                      SHA1:F48089F756D05B6101521F5213F639CBC7F70D44
                                                                                                                                                                                                                                      SHA-256:657B98199415FF0A0686ED1B96AAB6F40494BD564B1DD227E6B436EF48EDE538
                                                                                                                                                                                                                                      SHA-512:99519343314BCD65A28277028822A56613E51FD2B55061E0BC84E437445615F4311468A807BE9DDDB9064D92E19057184840C98B1B7BBF3EB881F4E35F2891B9
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF50DDB4410769EE1D.TMP, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF50DDB4410769EE1D.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF51EA079F371CCC9A.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF52C85AFF5223CE4F.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                      Entropy (8bit):1.5596529555287586
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:X8PhluRc06WXJejT59kg0qISoedGPdGfoBrYrStedGPdGRub1n:Whl11jToeIaox
                                                                                                                                                                                                                                      MD5:80D8BC496D00E90FA00730A6676F2BDA
                                                                                                                                                                                                                                      SHA1:9A867C6C157C07250F24632884A20F976FFE9A03
                                                                                                                                                                                                                                      SHA-256:B2F9B5E3E045CDE533060C6CA58FCCB3710BB2564FB369053432277B14E8089C
                                                                                                                                                                                                                                      SHA-512:999E133589B68137CFE54477EEA286BCE66799BBC383525FAF37A535DFB10EF18398463B82C65188E2582852FA9CCF9161D26EDF77D6BDC6B186E68B8AF1F81B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF52C85AFF5223CE4F.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF52F2F87815AD50FD.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF54AC50259F651B2F.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):1.2550357620921204
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:H69u5rh8FXz3T53qdv4rByKgWRSjnd/EqdGUDjxbQ6Ssnd/E85f4:a9LJTxGgrEKhRI3DtNP6
                                                                                                                                                                                                                                      MD5:65652D3B0BF20735F8A7188A09AF059D
                                                                                                                                                                                                                                      SHA1:639654B9DA604F9BF0659DEBBDFCEAC703D06AD9
                                                                                                                                                                                                                                      SHA-256:95A871B7A7CACDB474D6B832F21627B5ED2749F3AA5CBFDB2B8E394989864A00
                                                                                                                                                                                                                                      SHA-512:918BEB7AB76D2358DADE7ECABC19CCE68F577EA2E38F4F76535358C9A46E29CEE245EBEA9982BF1110CCA60D0A8B551974B475C88D53E6F94EE2F8B4C34C8E6F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF54AC50259F651B2F.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF572CE684DC65C7EA.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):1.2209852031756079
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:f+8PhcuRc06WXJEjT5PDg6/KMqISoedGPdGTWaStedGPdGTn:Zhc1HjTRDF/K5IeD
                                                                                                                                                                                                                                      MD5:EEA6B9B66F4F39E66516792293C80958
                                                                                                                                                                                                                                      SHA1:3DF4BD81508A3A683DF6858B9A4DCCFABC081AEE
                                                                                                                                                                                                                                      SHA-256:27AF623981B6E38068FB683D2222794CE77CDA416BA943E01F77F499AB0021FF
                                                                                                                                                                                                                                      SHA-512:8B82E4DC6090ABE73C9EEA1589A7494FB1950A36D149C15A5F26130AE8390D3D7EA0B1F4E2D00433870AE3C6A5EEC73C4FCBA33753AA91D46596D0421BE23CBE
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF572CE684DC65C7EA.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF59E906F187C06CE0.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF5DB8468F6DFC9E15.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):1.2493127247198048
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:NJgduksJveFXJ5T59kg0qISoedGPdGfoBrYrStedGPdGRub1n:IdxRToeIaox
                                                                                                                                                                                                                                      MD5:2C6CE458228C07766408EBA8229BD885
                                                                                                                                                                                                                                      SHA1:986FA60E9F9CC95621872374E7E8F58C35FD60E7
                                                                                                                                                                                                                                      SHA-256:7DE9C3B3CDEE9EFA81211DA69B389F4E10E7E47548E135FE3299745BA42870D6
                                                                                                                                                                                                                                      SHA-512:C4D12344454D03B8D8BEA4BDE2E761786B030D5B03B6BCCE95F583F8B541A8AFF963E9007468B2BA94D17A672068473D27CFC93120775F0E1B6F8CDD5C4094DA
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF5DB8468F6DFC9E15.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF5E93AD757759B7D8.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):1.2817269049549629
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:shmulth8FXznT5KhdL4ByWgeSjndd4d/Eqdmx4bQySsndd4dNWeUJmRb:UmhJTQLL4EW39ZZNXeJt
                                                                                                                                                                                                                                      MD5:E708116C399E3A54623093BC80A898CD
                                                                                                                                                                                                                                      SHA1:DC89491C4955FF0EE3E0633FE003B345ED50F251
                                                                                                                                                                                                                                      SHA-256:08FEF808209D6E3B53DD736B91845D30A7CA90F8B6379CB7DEE2E4F339E66E7F
                                                                                                                                                                                                                                      SHA-512:09655ED08D5BA31D7E98DA9815BDF00E259484A13AEB5B61A308325689194FF3C0386005D6127F3FD3559441F9498BC36B7AA8C990095FDE6C4B711F65B9DBC3
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF6489C52764F2EE3C.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                      Entropy (8bit):1.5728256212772833
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:gT8PhzuRc06WXzcjT5Xdv4rByKg/Sjnd/Eqdmx4bQaSsndVWeUJm5f4:hhz1BjTzgrEKGIZZNueJ6
                                                                                                                                                                                                                                      MD5:EACC6EE86914125BCD27EA7B63CF2971
                                                                                                                                                                                                                                      SHA1:8128A4EDECD083F7310B23649A7E923FE99DB992
                                                                                                                                                                                                                                      SHA-256:D2B0954EE2C85CF97DE18A94925F66A0557FDF6A92025846EAA58FE121506E60
                                                                                                                                                                                                                                      SHA-512:546BAD6A73D1D11A7D1624CB7F3AA3A6939A19EA22D496C25AC4F7F7C85BB77AF499D131360644C3338D492322085D7A9D94B97162AF91D16F08D11B1133E8D5
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF69668CF82004245C.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                      Entropy (8bit):1.5728256212772833
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:gT8PhzuRc06WXzcjT5Xdv4rByKg/Sjnd/Eqdmx4bQaSsndVWeUJm5f4:hhz1BjTzgrEKGIZZNueJ6
                                                                                                                                                                                                                                      MD5:EACC6EE86914125BCD27EA7B63CF2971
                                                                                                                                                                                                                                      SHA1:8128A4EDECD083F7310B23649A7E923FE99DB992
                                                                                                                                                                                                                                      SHA-256:D2B0954EE2C85CF97DE18A94925F66A0557FDF6A92025846EAA58FE121506E60
                                                                                                                                                                                                                                      SHA-512:546BAD6A73D1D11A7D1624CB7F3AA3A6939A19EA22D496C25AC4F7F7C85BB77AF499D131360644C3338D492322085D7A9D94B97162AF91D16F08D11B1133E8D5
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF6B5D70BB90955118.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):0.07937653477243305
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO8nNr6w+7kjSVky6l/X:2F0i8n0itFzDHF8nNU7kF/X
                                                                                                                                                                                                                                      MD5:6439878FA337DD7B769919FF5C35359F
                                                                                                                                                                                                                                      SHA1:8620735C219A9D25C02E9E6E9A9391A23603C1E8
                                                                                                                                                                                                                                      SHA-256:763703258878870A0265B0870A7B877F8496E2A800139B82572AFD15D8449FFA
                                                                                                                                                                                                                                      SHA-512:4A51F4D7DC1E4932A9A6A5E3BF6B611BC515DAC3FFAFBA3C8E40E0C9F1D9A108A028BA02DDC32EE60F0B424482904E7594BA049EE58FD4CB59A85EB268DB6FAD
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF6EE07B7C7A0343E9.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF70522A7512B0DF53.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):69632
                                                                                                                                                                                                                                      Entropy (8bit):0.15834146582005817
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:W0RrEuSsndd4dASjndd4d/EqdGUDjxbQwg/dL4Byj:W0L/93DtJgL4Ej
                                                                                                                                                                                                                                      MD5:A4C1E8800F55FAC71B0F8EBE8474A99E
                                                                                                                                                                                                                                      SHA1:9E5A7A26CBAC805BF81B01BF6FFD345E247A4BA1
                                                                                                                                                                                                                                      SHA-256:FDE50915A03C5EE1207B70231ED0F84E7703981C6C761997A90BB81FA07E99B8
                                                                                                                                                                                                                                      SHA-512:F7E03AEC6B5F556DDF9AD4FF58522B9FC2BF47D89A05EDBCE980067D311F0127BD5432F30A16F86D5EB6FED93C13CC82D638740B308BDBFC7D4F06893D37BC28
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF70522A7512B0DF53.TMP, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF70522A7512B0DF53.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF70E7F98A2CC68928.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):69632
                                                                                                                                                                                                                                      Entropy (8bit):0.15705308076875862
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:YdbEuSsndddPSjndddwEqdGUDjxbQYsgMdtBz:Y39f3DtTsJtl
                                                                                                                                                                                                                                      MD5:61710A119A606D2E80E6131D48BFD9FB
                                                                                                                                                                                                                                      SHA1:958D46FBB01F72D381C80E378B3CC67FAE41ED40
                                                                                                                                                                                                                                      SHA-256:DB8D39CC63CF3D5A57B804C6C0751F6FE83FE807D73A393A1B26F32C2F88BEFD
                                                                                                                                                                                                                                      SHA-512:51871DE513B464D3C3CEB50654756FCA381ED634A731C7FE8FDEF7E742CA23F61792782E6D430D4F5BCE26B984F27DDFE29779EFD2CD09798445F65C33A6C314
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF70E7F98A2CC68928.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF754BD4A196221961.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):1.279957365545884
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:qhwu3th8FXznT5CtdL4ByWg6Sjndd4d/EqdGUDjxbQSSsndd4dXE8Rb:Sw3JTY/L4EWr93DtNgt
                                                                                                                                                                                                                                      MD5:7A9EDD0951592FFA0DCA23B803502F1F
                                                                                                                                                                                                                                      SHA1:06B9D40EF7BB1C855053C829B24FE957375F9177
                                                                                                                                                                                                                                      SHA-256:8607F21308E08A06F6BD3A1CACF44A3A024C51CB7D42F3A2224FE6CEC35B28A7
                                                                                                                                                                                                                                      SHA-512:2030F7087AB8164AB741F52399DDA258AF0FBDC800DA38F101A6050C5CA0DCD66A38D03D390C1984A317F39E019FF74B370D5A2711B05DFFD256CABD07A003F4
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF754BD4A196221961.TMP, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF754BD4A196221961.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF75D6096C5404A42D.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF77A6D6044EE2AC8F.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):49152
                                                                                                                                                                                                                                      Entropy (8bit):1.000276175910158
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:oMMXukJveFXJfT5ppDgDqISoedvPdvbCnuhnq9On8H0dStedvPdvxubS:gXaHTnpDRIciuBuOWC4
                                                                                                                                                                                                                                      MD5:C0EEBC4F25B7F48E9587ADBCC539B199
                                                                                                                                                                                                                                      SHA1:F48089F756D05B6101521F5213F639CBC7F70D44
                                                                                                                                                                                                                                      SHA-256:657B98199415FF0A0686ED1B96AAB6F40494BD564B1DD227E6B436EF48EDE538
                                                                                                                                                                                                                                      SHA-512:99519343314BCD65A28277028822A56613E51FD2B55061E0BC84E437445615F4311468A807BE9DDDB9064D92E19057184840C98B1B7BBF3EB881F4E35F2891B9
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF77A6D6044EE2AC8F.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF7835CBB3F4539410.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF789C4A5178F8E091.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF79A08EE260C65CD3.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):69632
                                                                                                                                                                                                                                      Entropy (8bit):0.13004504940337683
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:CnAipVfedGSadGS7qIipVGedGSadGSfEqasJGPWTZkXK2+v6V+n:CnAStedGPdGeqISoedGPdGTWEK2g6V
                                                                                                                                                                                                                                      MD5:657AC1E4007796C2BB27A70DB93DAF9F
                                                                                                                                                                                                                                      SHA1:385E81E73F0FF967741E274864CC56DB5295A7FA
                                                                                                                                                                                                                                      SHA-256:0C9E2013ACDEBD9C8336B0B4D960784BECA1E152EE3CF4F86C4D3A33B6ECD949
                                                                                                                                                                                                                                      SHA-512:6415E9D86E76CC1E78ABC4F25C8695820E826DDD66B97B34623BA7B55CD670409A2C866CC1FA91E9017F46BD2D53FBA495CB6C11A2B9D93E9D601C6835136CE5
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF79A08EE260C65CD3.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF7C3F6449F9ECD6B3.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):1.2568058727203626
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:O6ruHrh8FXz3T5ndv4rByKg/Sjnd/Eqdmx4bQaSsndVWeUJm5f4:NrRJTLgrEKGIZZNueJ6
                                                                                                                                                                                                                                      MD5:F7A9A259BBF44E4F2DA37869407F8F89
                                                                                                                                                                                                                                      SHA1:22FC373E1145E39B8197C56B48EC912107D873F2
                                                                                                                                                                                                                                      SHA-256:A66C15D44B408712E200C6605CAE3BEC56B85DBAFDDB666625EC422B9F0C71A4
                                                                                                                                                                                                                                      SHA-512:295E8A9BFFAC4621E504FC26D5F147D77B4B4727CA4A8438A0F38BC27C55F8BA8DE8E534C561E61D73A16C8F36E3D2A297B4390887E5CB8067ACC0D09C9173B5
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF81AEDB3E98009857.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):1.2209852031756079
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:f+8PhcuRc06WXJEjT5PDg6/KMqISoedGPdGTWaStedGPdGTn:Zhc1HjTRDF/K5IeD
                                                                                                                                                                                                                                      MD5:EEA6B9B66F4F39E66516792293C80958
                                                                                                                                                                                                                                      SHA1:3DF4BD81508A3A683DF6858B9A4DCCFABC081AEE
                                                                                                                                                                                                                                      SHA-256:27AF623981B6E38068FB683D2222794CE77CDA416BA943E01F77F499AB0021FF
                                                                                                                                                                                                                                      SHA-512:8B82E4DC6090ABE73C9EEA1589A7494FB1950A36D149C15A5F26130AE8390D3D7EA0B1F4E2D00433870AE3C6A5EEC73C4FCBA33753AA91D46596D0421BE23CBE
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF81AEDB3E98009857.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF81DFFBC662D7CE7C.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                      Entropy (8bit):1.6001674487988775
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:Fh8PhTuRc06WXzcjT5CMdtBvgF6SjndddwEqdGUDjxbQiSsndddSE8d:F8hT1BjTcstJA6f3DtNa
                                                                                                                                                                                                                                      MD5:B9F2FB68B7A881ACC5870238BC8FE5BF
                                                                                                                                                                                                                                      SHA1:21AE37CB68AF8E1B198CFA81BDA49B91BDAADFE7
                                                                                                                                                                                                                                      SHA-256:8DD2A6081B3A87E97E5A5F15C544E3A31294FC9DBC49F6BB480AC6A9AE9D0505
                                                                                                                                                                                                                                      SHA-512:00975EE3D3260B752559196597633B9F943999D60BBEC99243637C8AEC940FB0A83FEDC087EB2261B0BC0CFAF8EADE15793D7A813849D6BB06ED7CFA9F21CF88
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF81DFFBC662D7CE7C.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF83011D3776F55C94.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):1.2568058727203626
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:O6ruHrh8FXz3T5ndv4rByKg/Sjnd/Eqdmx4bQaSsndVWeUJm5f4:NrRJTLgrEKGIZZNueJ6
                                                                                                                                                                                                                                      MD5:F7A9A259BBF44E4F2DA37869407F8F89
                                                                                                                                                                                                                                      SHA1:22FC373E1145E39B8197C56B48EC912107D873F2
                                                                                                                                                                                                                                      SHA-256:A66C15D44B408712E200C6605CAE3BEC56B85DBAFDDB666625EC422B9F0C71A4
                                                                                                                                                                                                                                      SHA-512:295E8A9BFFAC4621E504FC26D5F147D77B4B4727CA4A8438A0F38BC27C55F8BA8DE8E534C561E61D73A16C8F36E3D2A297B4390887E5CB8067ACC0D09C9173B5
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF91ECC3DB25A02C27.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):49152
                                                                                                                                                                                                                                      Entropy (8bit):1.000276175910158
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:oMMXukJveFXJfT5ppDgDqISoedvPdvbCnuhnq9On8H0dStedvPdvxubS:gXaHTnpDRIciuBuOWC4
                                                                                                                                                                                                                                      MD5:C0EEBC4F25B7F48E9587ADBCC539B199
                                                                                                                                                                                                                                      SHA1:F48089F756D05B6101521F5213F639CBC7F70D44
                                                                                                                                                                                                                                      SHA-256:657B98199415FF0A0686ED1B96AAB6F40494BD564B1DD227E6B436EF48EDE538
                                                                                                                                                                                                                                      SHA-512:99519343314BCD65A28277028822A56613E51FD2B55061E0BC84E437445615F4311468A807BE9DDDB9064D92E19057184840C98B1B7BBF3EB881F4E35F2891B9
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF91ECC3DB25A02C27.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF934DDC5F961C3FCC.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF9477DFD839BFABD1.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):0.07992663949499662
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO2rNy+659IvYjSVky6l/X:2F0i8n0itFzDHFz6vYF/X
                                                                                                                                                                                                                                      MD5:76F80871844D53B66E47517D78AD0A94
                                                                                                                                                                                                                                      SHA1:0FD44E38BE90A7A92DAD36AD21BAB27775CDA4D3
                                                                                                                                                                                                                                      SHA-256:26250C5843A798C2632D4E4FF0B25CEEBBB4E64E702172BC60C128DEA3D19BA2
                                                                                                                                                                                                                                      SHA-512:457E8E1247A6E96F2CE7BFD1A9B5F53228AC182CE679F0DD2CC1FC39AB86109D0E8F25475DF25AE815F10D9C8CBD73930182AFC20DC38D889ACFF155232E3E4D
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF957A1DDEDA0895F2.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF98449CC72E46BF2D.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF98B9107F6CB6DD2C.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                      Entropy (8bit):1.5596529555287586
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:X8PhluRc06WXJejT59kg0qISoedGPdGfoBrYrStedGPdGRub1n:Whl11jToeIaox
                                                                                                                                                                                                                                      MD5:80D8BC496D00E90FA00730A6676F2BDA
                                                                                                                                                                                                                                      SHA1:9A867C6C157C07250F24632884A20F976FFE9A03
                                                                                                                                                                                                                                      SHA-256:B2F9B5E3E045CDE533060C6CA58FCCB3710BB2564FB369053432277B14E8089C
                                                                                                                                                                                                                                      SHA-512:999E133589B68137CFE54477EEA286BCE66799BBC383525FAF37A535DFB10EF18398463B82C65188E2582852FA9CCF9161D26EDF77D6BDC6B186E68B8AF1F81B
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF98B9107F6CB6DD2C.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DF9EE6C5F884DB7E9B.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFA578F8471338B86D.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFA6283C77C981C69E.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                      Entropy (8bit):1.5699733423949185
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:o8PhFuRc06WXzcjT5Hqdv4rByKgWRSjnd/EqdGUDjxbQ6Ssnd/E85f4:3hF1BjTZGgrEKhRI3DtNP6
                                                                                                                                                                                                                                      MD5:1461513C9C2C55C3EB648F532A992F46
                                                                                                                                                                                                                                      SHA1:4BD49792113207552E8BF772D7CD31327E77EE54
                                                                                                                                                                                                                                      SHA-256:DED77834168705883B9D99AF42A564C62E810891566C80AC9536FBE1BFB249D3
                                                                                                                                                                                                                                      SHA-512:5B27C8FAA76B0527554D5B32B1053FE97797F8EB1EED4AD3B19D03CF3BD24E5A0ED98DEEF484F5D8117513E4BAB3465BD1161D9A13E84B4578FECB8A9AA48345
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFA6283C77C981C69E.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFA6E424478D76B90E.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):1.2300751780189139
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:uVUuKJveFXJfT5TDg6/KMqISoedGPdGTWaStedGPdGTn:CU4HTVDF/K5IeD
                                                                                                                                                                                                                                      MD5:D538042022EB1594160098D19EC01842
                                                                                                                                                                                                                                      SHA1:36BC336FAD847A000E5A1AEDCFB675EE81BBC2A5
                                                                                                                                                                                                                                      SHA-256:0AFF3655B3090A14E1469502C6ABD0F82764778BA1D6FC788417A9395FCDEFA5
                                                                                                                                                                                                                                      SHA-512:A7DF62B83B1F075391759C0B6B2DCDF56B9F14C0611084253810565B04BD7D563BA0F8A95C86CE42BA5688675AA0CA0BA8B8B436B4D3DD185606B3F384C1D546
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFA6E424478D76B90E.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFA8ABF822949AF34A.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFAB3CC1A7EA685EE1.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                      Entropy (8bit):1.619553738010167
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:qi8PhPuRc06WXJEjT5fDgDqISoedvPdvbCnuhnq9On8H0dStedvPdvxubS:qNhP1HjThDRIciuBuOWC4
                                                                                                                                                                                                                                      MD5:D40C9733092035B36C824AEFE84FD51F
                                                                                                                                                                                                                                      SHA1:96036F43B46E67A7126E5481CD5D3E3A9FE8FB84
                                                                                                                                                                                                                                      SHA-256:E8F21ABB59C1BE1323D13E589D9644D905ACA4088FDE1DA93F2B0EB8B10CA39C
                                                                                                                                                                                                                                      SHA-512:2F592349105386EA075B2F2F531303DDB0224A32EBE7F1C9FF51D04F469E60C4E2B13A32574263178E7F961B09E7F4AA921D6C4AC17E5AA4380B755F1C977ACA
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFAB3CC1A7EA685EE1.TMP, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFAB3CC1A7EA685EE1.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFAFA59C5167CB111C.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):1.2568058727203626
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:O6ruHrh8FXz3T5ndv4rByKg/Sjnd/Eqdmx4bQaSsndVWeUJm5f4:NrRJTLgrEKGIZZNueJ6
                                                                                                                                                                                                                                      MD5:F7A9A259BBF44E4F2DA37869407F8F89
                                                                                                                                                                                                                                      SHA1:22FC373E1145E39B8197C56B48EC912107D873F2
                                                                                                                                                                                                                                      SHA-256:A66C15D44B408712E200C6605CAE3BEC56B85DBAFDDB666625EC422B9F0C71A4
                                                                                                                                                                                                                                      SHA-512:295E8A9BFFAC4621E504FC26D5F147D77B4B4727CA4A8438A0F38BC27C55F8BA8DE8E534C561E61D73A16C8F36E3D2A297B4390887E5CB8067ACC0D09C9173B5
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFB06B889C1FD9C83B.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFB1D180C23304AF6D.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):1.2493127247198048
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:NJgduksJveFXJ5T59kg0qISoedGPdGfoBrYrStedGPdGRub1n:IdxRToeIaox
                                                                                                                                                                                                                                      MD5:2C6CE458228C07766408EBA8229BD885
                                                                                                                                                                                                                                      SHA1:986FA60E9F9CC95621872374E7E8F58C35FD60E7
                                                                                                                                                                                                                                      SHA-256:7DE9C3B3CDEE9EFA81211DA69B389F4E10E7E47548E135FE3299745BA42870D6
                                                                                                                                                                                                                                      SHA-512:C4D12344454D03B8D8BEA4BDE2E761786B030D5B03B6BCCE95F583F8B541A8AFF963E9007468B2BA94D17A672068473D27CFC93120775F0E1B6F8CDD5C4094DA
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFB1D180C23304AF6D.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFB5992767B69DC30F.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFB7764CC77BF0D725.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):69632
                                                                                                                                                                                                                                      Entropy (8bit):0.15871398467792455
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:W0R5WeUJ4Ssndd4dASjndd4d/Eqdmx4bQIgzdL4ByT:W0ee9/9ZZBUL4ET
                                                                                                                                                                                                                                      MD5:69CD43F643587A05097C2D1AC428E837
                                                                                                                                                                                                                                      SHA1:5B9C556AFD2AB59C310E8F8074133D53AA487D60
                                                                                                                                                                                                                                      SHA-256:7FDE629D8C91D9225161DA9F1A0A9333F6478AD0BB1C369F366C24850A0B6087
                                                                                                                                                                                                                                      SHA-512:04AAF5276552CAE4B8F04923EF115539A55EB09BA286C315C7D298DC1D8C7C89D4739B5652B8006AAF1B48FC1AF6AA16E4ABA4D24D756FF777C9D3F34CE54D2F
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFB7F7F9B5484A5620.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):1.2493127247198048
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:NJgduksJveFXJ5T59kg0qISoedGPdGfoBrYrStedGPdGRub1n:IdxRToeIaox
                                                                                                                                                                                                                                      MD5:2C6CE458228C07766408EBA8229BD885
                                                                                                                                                                                                                                      SHA1:986FA60E9F9CC95621872374E7E8F58C35FD60E7
                                                                                                                                                                                                                                      SHA-256:7DE9C3B3CDEE9EFA81211DA69B389F4E10E7E47548E135FE3299745BA42870D6
                                                                                                                                                                                                                                      SHA-512:C4D12344454D03B8D8BEA4BDE2E761786B030D5B03B6BCCE95F583F8B541A8AFF963E9007468B2BA94D17A672068473D27CFC93120775F0E1B6F8CDD5C4094DA
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFB7F7F9B5484A5620.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFBBCF967FF586000F.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFBE91CD1AE7718FD4.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFC0BC0B9985D358D2.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFC59F08B4C6EE0AFD.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFCBD9F0E36828D1E5.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):0.077966497703753
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO1LtCmOuPrfkiVky6l51:2F0i8n0itFzDHFzTPrfWr
                                                                                                                                                                                                                                      MD5:785EA75A2FB1DB6D9155B28A1291DAF3
                                                                                                                                                                                                                                      SHA1:6B86F7E077D0A8823383FBB776313FEDB17BFDEA
                                                                                                                                                                                                                                      SHA-256:BCD727E77C067BD5A31C13E8024F00ED60381D9AB725CAE2E6777A5708C9DDE0
                                                                                                                                                                                                                                      SHA-512:1834BBF627951711C96708EE7AA4B6C069055E832C717561DC77592E68EFB93E65FE825A5D3D13859057C93BE96CC12701D725491C4CFC49A4EE4FD40942E72A
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFCBFC938C3661D018.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFCCA859E58D57E570.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):20480
                                                                                                                                                                                                                                      Entropy (8bit):1.6033558346006964
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:T8Ph4uRc06WXzmFT5ztdL4ByWg6Sjndd4d/EqdGUDjxbQSSsndd4dXE8Rb:6h41bFT9/L4EWr93DtNgt
                                                                                                                                                                                                                                      MD5:34AC45BF94A16FAB4FEA5BE3F008937B
                                                                                                                                                                                                                                      SHA1:CADEF100E7D8E2770C1E44ABE836A5AB10EE5F43
                                                                                                                                                                                                                                      SHA-256:6FFED22063C531A1F7098E14897380F195527CA766B1DA9C966FAA43BC0D0776
                                                                                                                                                                                                                                      SHA-512:9D4D2058D668DB8E539C993FFE8BA687412E2373D6CB3A63266033A632B8E8BB51BF0AD9E4A97090BDC309175A268A3FFB0D5DC858058AF931443914A8250AF4
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFCCA859E58D57E570.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFD9724E0781DBE763.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):69632
                                                                                                                                                                                                                                      Entropy (8bit):0.14515813957868365
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:04l55WeUJ4SsndYSjnd/Eqdmx4bQGg6dv4rBy:BlGe9WIZZHfgrE
                                                                                                                                                                                                                                      MD5:B382BDBD3FC490DBD24F604D505B70BF
                                                                                                                                                                                                                                      SHA1:A054142913033FFC3E60E14EF8C9A6A307E51D98
                                                                                                                                                                                                                                      SHA-256:833C0A0B575B483287FC73E382F365BFB8DC7119ADA6EAE4FF4A0815AE6DD15D
                                                                                                                                                                                                                                      SHA-512:87DBB1CEAD3636E86453F53A36D9511515E2F4D3D384B50BB11F9DE4B5E4DCE66FFD19060C0F60451D74011D7ABFDEFF2E739C868AC79B9E484DC418973D5E9E
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFD9B9D8C26E655B60.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFDCDFD0CB2A31DA77.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):1.2550357620921204
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:H69u5rh8FXz3T53qdv4rByKgWRSjnd/EqdGUDjxbQ6Ssnd/E85f4:a9LJTxGgrEKhRI3DtNP6
                                                                                                                                                                                                                                      MD5:65652D3B0BF20735F8A7188A09AF059D
                                                                                                                                                                                                                                      SHA1:639654B9DA604F9BF0659DEBBDFCEAC703D06AD9
                                                                                                                                                                                                                                      SHA-256:95A871B7A7CACDB474D6B832F21627B5ED2749F3AA5CBFDB2B8E394989864A00
                                                                                                                                                                                                                                      SHA-512:918BEB7AB76D2358DADE7ECABC19CCE68F577EA2E38F4F76535358C9A46E29CEE245EBEA9982BF1110CCA60D0A8B551974B475C88D53E6F94EE2F8B4C34C8E6F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFDCDFD0CB2A31DA77.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFDFA6B425EA5E665B.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFE38C3E892E4AA044.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFE4C71D847951C502.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):1.2300751780189139
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:uVUuKJveFXJfT5TDg6/KMqISoedGPdGTWaStedGPdGTn:CU4HTVDF/K5IeD
                                                                                                                                                                                                                                      MD5:D538042022EB1594160098D19EC01842
                                                                                                                                                                                                                                      SHA1:36BC336FAD847A000E5A1AEDCFB675EE81BBC2A5
                                                                                                                                                                                                                                      SHA-256:0AFF3655B3090A14E1469502C6ABD0F82764778BA1D6FC788417A9395FCDEFA5
                                                                                                                                                                                                                                      SHA-512:A7DF62B83B1F075391759C0B6B2DCDF56B9F14C0611084253810565B04BD7D563BA0F8A95C86CE42BA5688675AA0CA0BA8B8B436B4D3DD185606B3F384C1D546
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFE4C71D847951C502.TMP, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFE4C71D847951C502.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFE500805D605C1849.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):1.2550357620921204
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:H69u5rh8FXz3T53qdv4rByKgWRSjnd/EqdGUDjxbQ6Ssnd/E85f4:a9LJTxGgrEKhRI3DtNP6
                                                                                                                                                                                                                                      MD5:65652D3B0BF20735F8A7188A09AF059D
                                                                                                                                                                                                                                      SHA1:639654B9DA604F9BF0659DEBBDFCEAC703D06AD9
                                                                                                                                                                                                                                      SHA-256:95A871B7A7CACDB474D6B832F21627B5ED2749F3AA5CBFDB2B8E394989864A00
                                                                                                                                                                                                                                      SHA-512:918BEB7AB76D2358DADE7ECABC19CCE68F577EA2E38F4F76535358C9A46E29CEE245EBEA9982BF1110CCA60D0A8B551974B475C88D53E6F94EE2F8B4C34C8E6F
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFE500805D605C1849.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFE621A4F0D30A8591.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):1.279957365545884
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:qhwu3th8FXznT5CtdL4ByWg6Sjndd4d/EqdGUDjxbQSSsndd4dXE8Rb:Sw3JTY/L4EWr93DtNgt
                                                                                                                                                                                                                                      MD5:7A9EDD0951592FFA0DCA23B803502F1F
                                                                                                                                                                                                                                      SHA1:06B9D40EF7BB1C855053C829B24FE957375F9177
                                                                                                                                                                                                                                      SHA-256:8607F21308E08A06F6BD3A1CACF44A3A024C51CB7D42F3A2224FE6CEC35B28A7
                                                                                                                                                                                                                                      SHA-512:2030F7087AB8164AB741F52399DDA258AF0FBDC800DA38F101A6050C5CA0DCD66A38D03D390C1984A317F39E019FF74B370D5A2711B05DFFD256CABD07A003F4
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFE621A4F0D30A8591.TMP, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFE621A4F0D30A8591.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFEA03F8D8602553DA.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                                                                      Entropy (8bit):1.2817269049549629
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:shmulth8FXznT5KhdL4ByWgeSjndd4d/Eqdmx4bQySsndd4dNWeUJmRb:UmhJTQLL4EW39ZZNXeJt
                                                                                                                                                                                                                                      MD5:E708116C399E3A54623093BC80A898CD
                                                                                                                                                                                                                                      SHA1:DC89491C4955FF0EE3E0633FE003B345ED50F251
                                                                                                                                                                                                                                      SHA-256:08FEF808209D6E3B53DD736B91845D30A7CA90F8B6379CB7DEE2E4F339E66E7F
                                                                                                                                                                                                                                      SHA-512:09655ED08D5BA31D7E98DA9815BDF00E259484A13AEB5B61A308325689194FF3C0386005D6127F3FD3559441F9498BC36B7AA8C990095FDE6C4B711F65B9DBC3
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFEDCD4683FFA3EC74.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):69632
                                                                                                                                                                                                                                      Entropy (8bit):0.1631592413318558
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:48:TEubmStedvPdv+qISoedvPdvbCnuhnq9On8H0igP:hybIciuBuOWbY
                                                                                                                                                                                                                                      MD5:2DE810495CF8A7BAC07FD49EF4F3F3D0
                                                                                                                                                                                                                                      SHA1:930205E6D0D04BFCCF77FA6BA3CBBAE1E8F9E851
                                                                                                                                                                                                                                      SHA-256:866E878296CAA2B88137CE15A14FD2202381FFF0C835F93103F876E48306B25D
                                                                                                                                                                                                                                      SHA-512:64D9E964A5C34F01926C66CD3AAA7FE4F129F587298581DA1F75A1305D4B22BDD697A337E97B089E7EB836EF1A274D3D2A1B4609EEA8A621F9E12FAB473FF2F9
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFEDCD4683FFA3EC74.TMP, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFF107721291BE7A8C.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFF10AF2B0564A1C78.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFF214F833B82C1E3A.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFF27A9DC7B9F13146.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFF67F391A38E114FF.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      C:\Windows\Temp\~DFFE9A06D25B34AF9B.TMP

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):512
                                                                                                                                                                                                                                      Entropy (8bit):0.0
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:3::
                                                                                                                                                                                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      \Device\ConDrv

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):416
                                                                                                                                                                                                                                      Entropy (8bit):5.322759312382268
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:12:0ZWlZmTXHX7COtCZG3qcTXgCgEkA4y9cZlTXEotXSZsTXHX7Hw:0QZWH+zEv9gFG9c77XS2Hbw
                                                                                                                                                                                                                                      MD5:2B4B3E8A8AC0A548CA1081CEC2C22661
                                                                                                                                                                                                                                      SHA1:8DC3C354542D167E41AE0DE0C02182D8E71C3314
                                                                                                                                                                                                                                      SHA-256:996FA2D65DBA82DEA4FDABC345AB4F9E22FE191C19A5F4D770910D9EB62E39F6
                                                                                                                                                                                                                                      SHA-512:32FEB63D6CDBFB0BD14EE54857DFA462FB37444A583D3C332BC3D6B17A4219BDCB0F747A6E343B7844D24E757339D2AAC354D8D0C0299549A472DAA419B7F2E1
                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                      Reputation:unknown
                                                                                                                                                                                                                                      Preview:2025-01-14 13:35:14.9520|INFO|WindowsInstallerFactory|AdAgentPackage Execute Start..2025-01-14 13:35:15.1395|INFO|WindowsInstallerFactory|Parameters: AdCommandType: Maintenance InstallationFileUrl: https://get.anydesk.com/8CQsu9kv/AnyDesk_Custom_Client.msi..2025-01-14 13:35:15.1864|INFO|WindowsInstallerFactory|AnyDesk Status: None..2025-01-14 13:35:15.2176|INFO|WindowsInstallerFactory|AdAgentPackage Execute End..

                                                                                                                                                                                                                                      Static File Info

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                      Entropy (8bit):7.878666436630809
                                                                                                                                                                                                                                      TrID:
                                                                                                                                                                                                                                      • Microsoft Windows Installer (60509/1) 57.88%
                                                                                                                                                                                                                                      • ClickyMouse macro set (36024/1) 34.46%
                                                                                                                                                                                                                                      • Generic OLE2 / Multistream Compound File (8008/1) 7.66%
                                                                                                                                                                                                                                      File name:XML-702.msi
                                                                                                                                                                                                                                      File size:2'994'176 bytes
                                                                                                                                                                                                                                      MD5:17233cb43b4a16b35d9d174cfc88ec4a
                                                                                                                                                                                                                                      SHA1:3831189838df5d113461823a1aa864d7572bedf5
                                                                                                                                                                                                                                      SHA256:a78b24eacd8138edb9f0d440c2ffb98cee269ae32c8f8ba8790d4d60c2ee18e5
                                                                                                                                                                                                                                      SHA512:239c758d62c9d14532589de4ed3151eed177419cdd9f06cf8c223fa137631fe8ed576fa29da5b0040510a0eaf2ea6f5ab5da61809a7208d1220dc80109baabd0
                                                                                                                                                                                                                                      SSDEEP:49152:b+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:b+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                      TLSH:ACD523117584483AE37B0A358D7ADAA05E7DFE605B70CA8E9308741E2D705C1AB76FB3
                                                                                                                                                                                                                                      File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                                                                                                      File Icon

                                                                                                                                                                                                                                      Icon Hash:2d2e3797b32b2b99

                                                                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                                                                      Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                                                                                                      Statistics

                                                                                                                                                                                                                                      CPU Usage

                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                      Memory Usage

                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                                                                                      Behavior

                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                      System Behavior

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:0
                                                                                                                                                                                                                                      Start time:13:34:05
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\XML-702.msi"
                                                                                                                                                                                                                                      Imagebase:0x7ff6ec4f0000
                                                                                                                                                                                                                                      File size:69'632 bytes
                                                                                                                                                                                                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:1
                                                                                                                                                                                                                                      Start time:13:34:05
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                      Imagebase:0x7ff6ec4f0000
                                                                                                                                                                                                                                      File size:69'632 bytes
                                                                                                                                                                                                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:2
                                                                                                                                                                                                                                      Start time:13:34:06
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 880080BE1478B06580F06BAFC5D76649
                                                                                                                                                                                                                                      Imagebase:0xe30000
                                                                                                                                                                                                                                      File size:59'904 bytes
                                                                                                                                                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:3
                                                                                                                                                                                                                                      Start time:13:34:06
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                      Commandline:rundll32.exe "C:\Windows\Installer\MSIA4ED.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5612890 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                                                                                                                                                      Imagebase:0x600000
                                                                                                                                                                                                                                      File size:61'440 bytes
                                                                                                                                                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000003.00000003.1719314198.0000000004960000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:4
                                                                                                                                                                                                                                      Start time:13:34:07
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                      Commandline:rundll32.exe "C:\Windows\Installer\MSIA82A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5613656 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                                                                                                                                                                                                                      Imagebase:0x600000
                                                                                                                                                                                                                                      File size:61'440 bytes
                                                                                                                                                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000002.1761638743.0000000004831000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000003.1730020662.000000000468A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000002.1761638743.00000000048D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:5
                                                                                                                                                                                                                                      Start time:13:34:11
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                      Commandline:rundll32.exe "C:\Windows\Installer\MSIB77D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5617562 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                                                                                                                                                                                                                      Imagebase:0x600000
                                                                                                                                                                                                                                      File size:61'440 bytes
                                                                                                                                                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000003.1764369780.0000000004775000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:6
                                                                                                                                                                                                                                      Start time:13:34:11
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 5BF63B3DEC55F2B0AB21F4C24E7E610C E Global\MSI0000
                                                                                                                                                                                                                                      Imagebase:0xe30000
                                                                                                                                                                                                                                      File size:59'904 bytes
                                                                                                                                                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:7
                                                                                                                                                                                                                                      Start time:13:34:11
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                      Commandline:"NET" STOP AteraAgent
                                                                                                                                                                                                                                      Imagebase:0x4c0000
                                                                                                                                                                                                                                      File size:47'104 bytes
                                                                                                                                                                                                                                      MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:8
                                                                                                                                                                                                                                      Start time:13:34:11
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:9
                                                                                                                                                                                                                                      Start time:13:34:12
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\net1 STOP AteraAgent
                                                                                                                                                                                                                                      Imagebase:0xc30000
                                                                                                                                                                                                                                      File size:139'776 bytes
                                                                                                                                                                                                                                      MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:10
                                                                                                                                                                                                                                      Start time:13:34:12
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                      Commandline:"TaskKill.exe" /f /im AteraAgent.exe
                                                                                                                                                                                                                                      Imagebase:0xec0000
                                                                                                                                                                                                                                      File size:74'240 bytes
                                                                                                                                                                                                                                      MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:11
                                                                                                                                                                                                                                      Start time:13:34:12
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:12
                                                                                                                                                                                                                                      Start time:13:34:13
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="contato@plasticoseireli.com.br" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q3000005bkCOIAY" /AgentId="129f3953-acb3-4c59-97d2-68ee1acc4037"
                                                                                                                                                                                                                                      Imagebase:0x16037b30000
                                                                                                                                                                                                                                      File size:145'968 bytes
                                                                                                                                                                                                                                      MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1818118229.00000160398AA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1816839322.0000016037CFC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1819496130.000001605234E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1818118229.0000016039956000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1817843948.0000016037EE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1816839322.0000016037D33000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1818118229.000001603987C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1816839322.0000016037D14000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1819496130.00000160522F4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000000.1785622783.0000016037B32000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1819467626.00000160522E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1818118229.00000160398B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1818118229.000001603996C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1818118229.00000160398A2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1816839322.0000016037D80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1816839322.0000016037D1C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1816839322.0000016037CF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1818118229.00000160397F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1818118229.0000016039879000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1818118229.00000160398A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1820519891.00007FFD9B484000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1818118229.0000016039922000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                                                                      • Detection: 26%, ReversingLabs
                                                                                                                                                                                                                                      • Detection: 28%, Virustotal, Browse
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:13
                                                                                                                                                                                                                                      Start time:13:34:15
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                                                                                                                                      Imagebase:0x24de0c00000
                                                                                                                                                                                                                                      File size:145'968 bytes
                                                                                                                                                                                                                                      MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2253518610.0000024DE1C0A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2253518610.0000024DE15A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2312265733.0000024DF9E20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2253518610.0000024DE18CB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2253518610.0000024DE193E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2253518610.0000024DE1840000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2248215569.0000024DE0CB0000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2313031801.0000024DF9EBD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2253518610.0000024DE1D68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2253518610.0000024DE165E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2248265450.0000024DE0CC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2253518610.0000024DE197E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2253518610.0000024DE1C45000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2253518610.0000024DE1A20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2253518610.0000024DE1BD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2253518610.0000024DE1C6B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2253518610.0000024DE18C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2253518610.0000024DE1881000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2253518610.0000024DE15D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2253518610.0000024DE1551000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2315411123.0000024DFA36B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2315411123.0000024DFA2CB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2315411123.0000024DFA3AB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2315411123.0000024DFA2E4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2253518610.0000024DE19BE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2253518610.0000024DE1981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2327854230.0000024DFA6F4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2315411123.0000024DFA280000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2315411123.0000024DFA310000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2253518610.0000024DE1C0C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2242497142.000000E0BC395000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2248265450.0000024DE0D46000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2315411123.0000024DFA309000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2253518610.0000024DE17F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2315411123.0000024DFA2FC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2253518610.0000024DE1BF4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2248265450.0000024DE0CFD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2248265450.0000024DE0D1E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2313031801.0000024DF9EA4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2252023441.0000024DE0F40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2253518610.0000024DE1992000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:14
                                                                                                                                                                                                                                      Start time:13:34:16
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                                                                                                                                      Imagebase:0x7ff7d2320000
                                                                                                                                                                                                                                      File size:72'192 bytes
                                                                                                                                                                                                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:15
                                                                                                                                                                                                                                      Start time:13:34:16
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:16
                                                                                                                                                                                                                                      Start time:13:34:16
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                      Commandline:rundll32.exe "C:\Windows\Installer\MSICE75.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5623421 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                                                                                                                                                                                                                      Imagebase:0x600000
                                                                                                                                                                                                                                      File size:61'440 bytes
                                                                                                                                                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1867277939.0000000005374000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1867277939.00000000052D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000003.1823152124.0000000004DDB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:18
                                                                                                                                                                                                                                      Start time:13:34:24
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "dd688ee6-da7a-489a-824e-4b2b8f963f93" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q3000005bkCOIAY
                                                                                                                                                                                                                                      Imagebase:0x1f8fa9c0000
                                                                                                                                                                                                                                      File size:186'408 bytes
                                                                                                                                                                                                                                      MD5 hash:9D8D50D2789C2A8D847D7953518A96F6
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1936814285.000001F8FACC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1935576115.000001F8FABFC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1935576115.000001F8FABB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1933854948.000001F880001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1935576115.000001F8FAB70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1935576115.000001F8FAC5E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000000.1900225335.000001F8FA9C2000.00000002.00000001.01000000.00000016.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1933854948.000001F880079000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:19
                                                                                                                                                                                                                                      Start time:13:34:24
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "2e37e1c0-19ef-487a-bbff-8667419be909" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q3000005bkCOIAY
                                                                                                                                                                                                                                      Imagebase:0x24147170000
                                                                                                                                                                                                                                      File size:186'408 bytes
                                                                                                                                                                                                                                      MD5 hash:9D8D50D2789C2A8D847D7953518A96F6
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1935279763.0000024147522000.00000002.00000001.01000000.00000018.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1933971482.00000241472DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1933971482.00000241472A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1933971482.0000024147327000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1935801016.0000024147AE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1935801016.0000024147AB7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1935801016.0000024147A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1935677168.0000024147600000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1938279305.00000241603F7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1933971482.00000241472BB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1933971482.00000241472EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1933971482.00000241472A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:20
                                                                                                                                                                                                                                      Start time:13:34:24
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:21
                                                                                                                                                                                                                                      Start time:13:34:24
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:24
                                                                                                                                                                                                                                      Start time:13:34:28
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "a2b1d8f6-2f82-4898-80a5-6c64d88ad439" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q3000005bkCOIAY
                                                                                                                                                                                                                                      Imagebase:0x1e528930000
                                                                                                                                                                                                                                      File size:186'408 bytes
                                                                                                                                                                                                                                      MD5 hash:9D8D50D2789C2A8D847D7953518A96F6
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1946436379.000001E528A6B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1946436379.000001E528A30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1947505534.000001E528D90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1946436379.000001E528AB2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1947570429.000001E529201000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1946436379.000001E528A38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1947570429.000001E529279000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1946436379.000001E528A4F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:25
                                                                                                                                                                                                                                      Start time:13:34:28
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:26
                                                                                                                                                                                                                                      Start time:13:34:28
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                                                                                                                                      Imagebase:0x2bb77300000
                                                                                                                                                                                                                                      File size:145'968 bytes
                                                                                                                                                                                                                                      MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2835769180.000002BB77438000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2496479736.000002BB007BD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2496479736.000002BB00363000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2496479736.000002BB006C2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2476942681.000000EA43755000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2496479736.000002BB00570000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2496479736.000002BB00859000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2496479736.000002BB00543000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2496479736.000002BB00658000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2496479736.000002BB00664000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2496479736.000002BB003F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2834800386.000002BB773B0000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2865906697.000002BB77B90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2496479736.000002BB00385000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2496479736.000002BB00064000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2835769180.000002BB77430000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2835769180.000002BB774EA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2496479736.000002BB00598000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2835769180.000002BB7746E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2835769180.000002BB774B9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2496479736.000002BB0093B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2905521031.000002BB78886000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2905521031.000002BB788AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2495241586.000000EA45C31000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2864074099.000002BB77690000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2496479736.000002BB00954000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2496479736.000002BB009A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2496479736.000002BB00001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2496479736.000002BB00560000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2496479736.000002BB00845000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2496479736.000002BB004AD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2865906697.000002BB77BE6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2496479736.000002BB006EA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2496479736.000002BB00454000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2496479736.000002BB006AA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2496479736.000002BB000F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2496479736.000002BB0022F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:27
                                                                                                                                                                                                                                      Start time:13:34:29
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                                                                                                                                      Imagebase:0x7ff7d2320000
                                                                                                                                                                                                                                      File size:72'192 bytes
                                                                                                                                                                                                                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:28
                                                                                                                                                                                                                                      Start time:13:34:29
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:29
                                                                                                                                                                                                                                      Start time:13:34:29
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "c08b9836-612b-4f1a-a9b2-6d15dae1664b" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q3000005bkCOIAY
                                                                                                                                                                                                                                      Imagebase:0x158a0c20000
                                                                                                                                                                                                                                      File size:186'408 bytes
                                                                                                                                                                                                                                      MD5 hash:9D8D50D2789C2A8D847D7953518A96F6
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2221998261.00000158A1873000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2215343760.00000158A0D56000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2221998261.00000158A17AB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2215343760.00000158A0D30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2221305797.00000158A0FD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2239414816.00000158B9F70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2221998261.00000158A1842000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2221998261.00000158A1687000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2241925591.00000158BA00D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2221998261.00000158A1907000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2215343760.00000158A0D4C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2215343760.00000158A0D9A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2221998261.00000158A1845000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2221998261.00000158A15F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2238773716.00000158B9F3F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2215343760.00000158A0D10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2221998261.00000158A1870000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:30
                                                                                                                                                                                                                                      Start time:13:34:29
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:31
                                                                                                                                                                                                                                      Start time:13:34:30
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"powershell.exe" -NoProfile -Command " ################################################################################################ # Windows 11 Compatibility Check Script # ################################################################################################ # Compatibility flag $IsCompatible = $true # Check if current OS is Windows 10 $OSVersion = (Get-CimInstance -Class Win32_OperatingSystem).Caption if (-not $OSVersion.Contains('Windows 10')) { return } # Architecture x64 $Arch = (Get-CimInstance -Class CIM_ComputerSystem).SystemType $ArchValue = 'x64-based PC' if ($Arch -ne $ArchValue) { $IsCompatible = $false } # Screen Resolution $ScreenInfo = (Get-CimInstance -ClassName Win32_VideoController).CurrentVerticalResolution $ValueMin = 720 if ($ScreenInfo -le $ValueMin) { $IsCompatible = $false } # CPU composition $Core = (Get-CimInstance -Class CIM_Processor | Select-Object *).NumberOfCores $CoreValue = 2 $Frequency = (Get-CimInstance -Class CIM_Processor | Select-Object *).MaxClockSpeed $FrequencyValue = 1000 if (-not (($Core -ge $CoreValue) -and ($Frequency -ge $FrequencyValue))) { $IsCompatible = $false } # TPM $TPM2 = $false if ((Get-Tpm).ManufacturerVersionFull20) { $TPM2 = -not (Get-Tpm).ManufacturerVersionFull20.Contains('not supported') } if ($TPM2 -contains $false) { $IsCompatible = $false } # Secure Boot $SecureBoot = Confirm-SecureBootUEFI if ($SecureBoot -ne $true) { $IsCompatible = $false } # RAM available $Memory = (Get-CimInstance -Class CIM_ComputerSystem).TotalPhysicalMemory $SetMinMemory = 4294967296 if ($Memory -lt $SetMinMemory) { $IsCompatible = $false } # Storage available $ListDisk = Get-CimInstance -Class Win32_LogicalDisk | Where-Object { $_.DriveType -eq '3' } $SetMinSizeLimit = 64GB $DiskCompatible = $false foreach ($Disk in $ListDisk) { if ($Disk.FreeSpace -ge $SetMinSizeLimit) { $DiskCompatible = $true } } if (-not $DiskCompatible) { $IsCompatible = $false } # Output final result $IsCompatible "
                                                                                                                                                                                                                                      Imagebase:0x7ff788560000
                                                                                                                                                                                                                                      File size:452'608 bytes
                                                                                                                                                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.1996079006.000001FC0022A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2051822058.000001FC68120000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:32
                                                                                                                                                                                                                                      Start time:13:34:30
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:33
                                                                                                                                                                                                                                      Start time:13:34:31
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "73baa492-8131-47bd-aef7-ff6f586897ca" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q3000005bkCOIAY
                                                                                                                                                                                                                                      Imagebase:0x1545d090000
                                                                                                                                                                                                                                      File size:72'744 bytes
                                                                                                                                                                                                                                      MD5 hash:67FEF41237025021CD4F792E8C24E95A
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000000.1966284128.000001545D092000.00000002.00000001.01000000.0000001B.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2533787286.000001545D18D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2533787286.000001545D210000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2565106208.000001545D981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2565106208.000001545DA83000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2563220552.000001545D430000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2533787286.000001545D1C2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2565106208.000001545D9FB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2715960566.00000154762D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2565106208.000001545DBD2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2533787286.000001545D180000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2533787286.000001545D1CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2565106208.000001545DA91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:34
                                                                                                                                                                                                                                      Start time:13:34:31
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:35
                                                                                                                                                                                                                                      Start time:13:34:34
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "83a39b31-6e02-450c-883e-7bcfe5037852" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q3000005bkCOIAY
                                                                                                                                                                                                                                      Imagebase:0x1ed83a60000
                                                                                                                                                                                                                                      File size:407'080 bytes
                                                                                                                                                                                                                                      MD5 hash:810F893E58861909B134FA72E3BC90CD
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2034867857.000001ED83B50000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2067956836.000001ED9CC50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2067956836.000001ED9CC6A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2035764430.000001ED83D73000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000000.1997512285.000001ED83A62000.00000002.00000001.01000000.0000001D.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2035764430.000001ED83DBE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2035764430.000001ED83D30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2077760783.000001ED9DCE6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2077518560.000001ED9DAD7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2044058758.000001ED83F80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2102604614.00007FFDEE579000.00000004.00000001.01000000.0000001E.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2045546102.000001ED8458F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2045546102.000001ED844A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2045546102.000001ED84A76000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2043360173.000001ED83F12000.00000002.00000001.01000000.0000001F.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2077965051.000001ED9DDC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2035764430.000001ED83D7B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2077564694.000001ED9DCD5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:36
                                                                                                                                                                                                                                      Start time:13:34:34
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:37
                                                                                                                                                                                                                                      Start time:13:34:42
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                      Imagebase:0x7ff7002f0000
                                                                                                                                                                                                                                      File size:289'792 bytes
                                                                                                                                                                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2145934957.000001CA2595C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2145934957.000001CA25973000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000003.2077592708.000001CA25BC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2145934957.000001CA25950000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2146266932.000001CA25BA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:38
                                                                                                                                                                                                                                      Start time:13:34:42
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:39
                                                                                                                                                                                                                                      Start time:13:34:42
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\cscript.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                      Imagebase:0x7ff766870000
                                                                                                                                                                                                                                      File size:161'280 bytes
                                                                                                                                                                                                                                      MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2144138281.000001B0827E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:40
                                                                                                                                                                                                                                      Start time:13:34:43
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\sppsvc.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\sppsvc.exe
                                                                                                                                                                                                                                      Imagebase:0x7ff6ec950000
                                                                                                                                                                                                                                      File size:4'630'384 bytes
                                                                                                                                                                                                                                      MD5 hash:320823F03672CEB82CC3A169989ABD12
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:41
                                                                                                                                                                                                                                      Start time:13:34:50
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k smphost
                                                                                                                                                                                                                                      Imagebase:0x7ff6eef20000
                                                                                                                                                                                                                                      File size:55'320 bytes
                                                                                                                                                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:42
                                                                                                                                                                                                                                      Start time:13:35:00
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "ad826f4a-bdf2-4b7c-85be-2ce6747e9604" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q3000005bkCOIAY
                                                                                                                                                                                                                                      Imagebase:0x1a367fe0000
                                                                                                                                                                                                                                      File size:186'408 bytes
                                                                                                                                                                                                                                      MD5 hash:9D8D50D2789C2A8D847D7953518A96F6
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3294930991.000001A3681B9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3304711756.000001A369205000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3294930991.000001A368234000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3294930991.000001A3681ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3320326634.000001A3693DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3268267011.00000089AA6F3000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3301700390.000001A3683D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3294930991.000001A3681B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3270482818.000001A300047000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3270482818.000001A300001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3320326634.000001A3693B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3270482818.000001A300252000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3270482818.000001A300079000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.3270482818.000001A30010C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:43
                                                                                                                                                                                                                                      Start time:13:35:00
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:44
                                                                                                                                                                                                                                      Start time:13:35:01
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"powershell.exe" -NoProfile -Command " ################################################################################################ # Windows 11 Compatibility Check Script # ################################################################################################ # Compatibility flag $IsCompatible = $true # Check if current OS is Windows 10 $OSVersion = (Get-CimInstance -Class Win32_OperatingSystem).Caption if (-not $OSVersion.Contains('Windows 10')) { return } # Architecture x64 $Arch = (Get-CimInstance -Class CIM_ComputerSystem).SystemType $ArchValue = 'x64-based PC' if ($Arch -ne $ArchValue) { $IsCompatible = $false } # Screen Resolution $ScreenInfo = (Get-CimInstance -ClassName Win32_VideoController).CurrentVerticalResolution $ValueMin = 720 if ($ScreenInfo -le $ValueMin) { $IsCompatible = $false } # CPU composition $Core = (Get-CimInstance -Class CIM_Processor | Select-Object *).NumberOfCores $CoreValue = 2 $Frequency = (Get-CimInstance -Class CIM_Processor | Select-Object *).MaxClockSpeed $FrequencyValue = 1000 if (-not (($Core -ge $CoreValue) -and ($Frequency -ge $FrequencyValue))) { $IsCompatible = $false } # TPM $TPM2 = $false if ((Get-Tpm).ManufacturerVersionFull20) { $TPM2 = -not (Get-Tpm).ManufacturerVersionFull20.Contains('not supported') } if ($TPM2 -contains $false) { $IsCompatible = $false } # Secure Boot $SecureBoot = Confirm-SecureBootUEFI if ($SecureBoot -ne $true) { $IsCompatible = $false } # RAM available $Memory = (Get-CimInstance -Class CIM_ComputerSystem).TotalPhysicalMemory $SetMinMemory = 4294967296 if ($Memory -lt $SetMinMemory) { $IsCompatible = $false } # Storage available $ListDisk = Get-CimInstance -Class Win32_LogicalDisk | Where-Object { $_.DriveType -eq '3' } $SetMinSizeLimit = 64GB $DiskCompatible = $false foreach ($Disk in $ListDisk) { if ($Disk.FreeSpace -ge $SetMinSizeLimit) { $DiskCompatible = $true } } if (-not $DiskCompatible) { $IsCompatible = $false } # Output final result $IsCompatible "
                                                                                                                                                                                                                                      Imagebase:0x7ff788560000
                                                                                                                                                                                                                                      File size:452'608 bytes
                                                                                                                                                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.3105566513.0000027DFD980000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.3105566513.0000027DFD983000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2324809347.0000027D8022B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:45
                                                                                                                                                                                                                                      Start time:13:35:01
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:46
                                                                                                                                                                                                                                      Start time:13:35:02
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "01be1e33-edd2-4b80-ad30-0a2ff62d8a90" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q3000005bkCOIAY
                                                                                                                                                                                                                                      Imagebase:0x2788cf60000
                                                                                                                                                                                                                                      File size:57'896 bytes
                                                                                                                                                                                                                                      MD5 hash:E9794F785780945D2DDE78520B9BB59F
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2633106331.000002788D8E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2633277895.000002788D8F2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2624742661.000002788D295000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2633277895.000002788D93C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2633277895.000002788D900000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000000.2278180476.000002788CF62000.00000002.00000001.01000000.00000027.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2650363249.000002788DCB6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2623033355.000002788D230000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2601763540.000002788D124000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2633277895.000002788D8E5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2650363249.000002788DCA5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2650363249.000002788DB9C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2601763540.000002788D1CD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2601763540.000002788D121000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2650363249.000002788DA21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2601763540.000002788D0E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2627082966.000002788D8A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2596216514.000000D011593000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2601763540.000002788D16D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:47
                                                                                                                                                                                                                                      Start time:13:35:02
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:48
                                                                                                                                                                                                                                      Start time:13:35:04
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun
                                                                                                                                                                                                                                      Imagebase:0x1c1b1150000
                                                                                                                                                                                                                                      File size:57'896 bytes
                                                                                                                                                                                                                                      MD5 hash:E9794F785780945D2DDE78520B9BB59F
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.2325133907.000001C1B129E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.2325133907.000001C1B1260000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.2325133907.000001C1B127B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.2325133907.000001C1B1268000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.2497493023.000001C1B14E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.2498898413.000001C1B1BF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.2325133907.000001C1B12E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.2498898413.000001C1B1C73000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:49
                                                                                                                                                                                                                                      Start time:13:35:05
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "bb91c3ae-13a9-46d3-b7cd-8a12a2b5a6f8" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q3000005bkCOIAY
                                                                                                                                                                                                                                      Imagebase:0x2b19e260000
                                                                                                                                                                                                                                      File size:33'320 bytes
                                                                                                                                                                                                                                      MD5 hash:2EC1D28706B9713026E8C6814E231D7C
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000000.2306992769.000002B19E262000.00000002.00000001.01000000.00000028.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:50
                                                                                                                                                                                                                                      Start time:13:35:05
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:51
                                                                                                                                                                                                                                      Start time:13:35:05
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:52
                                                                                                                                                                                                                                      Start time:13:35:06
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "337a6611-035b-4530-8875-95d63c915d31" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q3000005bkCOIAY
                                                                                                                                                                                                                                      Imagebase:0x21743e10000
                                                                                                                                                                                                                                      File size:57'896 bytes
                                                                                                                                                                                                                                      MD5 hash:CB9890B01A396F64D702AD10F441003A
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.0000021745187000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.000002174505E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.00000217450EA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2837469028.0000021744048000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.3110287601.000002175D057000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.000002174501F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.0000021744F89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.0000021745162000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.000002174504F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2837469028.0000021743F69000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.0000021744E77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.0000021745093000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.0000021744E14000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.0000021744EC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.0000021744B67000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2837469028.0000021743F9E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.0000021744E50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.3116637604.000002175D0B4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.000002174519F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2837469028.0000021743FAE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.3122924475.000002175D2FC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.0000021745115000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.00000217451AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000000.2315651131.0000021743E12000.00000002.00000001.01000000.0000002A.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.3122924475.000002175D344000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.0000021745034000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.000002174507E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.0000021744BFE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.00000217450D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.3122924475.000002175D37C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2837469028.0000021743FE8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2834001359.0000001BC8479000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.0000021744E19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2837469028.0000021743F60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.0000021744AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.0000021744DF7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.00000217448B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.0000021744E02000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.0000021745014000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2881869825.000002174513D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2835908995.0000021743EE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.3110287601.000002175D030000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2863025472.0000021744632000.00000002.00000001.01000000.0000004F.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:53
                                                                                                                                                                                                                                      Start time:13:35:06
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:54
                                                                                                                                                                                                                                      Start time:13:35:08
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                                                                                                                                                                                                                      Imagebase:0x7ff6ec4f0000
                                                                                                                                                                                                                                      File size:69'632 bytes
                                                                                                                                                                                                                                      MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000003.2465322918.000001F656053000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2586431784.000001F65605C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000003.2578412529.000001F655690000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000003.2583703550.000001F65605A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000003.2467407299.000001F656054000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000003.2583851515.000001F6556E9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2585701035.000001F6556F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000003.2583539507.000001F6556DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000003.2531631430.000001F655690000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000003.2583794059.000001F6556EF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000003.2583338446.000001F656054000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2586431784.000001F656054000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2585618357.000001F6556EA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000003.2465446659.000001F656054000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:55
                                                                                                                                                                                                                                      Start time:13:35:08
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 710833DCD7A2D76742D801FD4C065DF0 E Global\MSI0000
                                                                                                                                                                                                                                      Imagebase:0xe30000
                                                                                                                                                                                                                                      File size:59'904 bytes
                                                                                                                                                                                                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:56
                                                                                                                                                                                                                                      Start time:13:35:09
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                      Commandline:rundll32.exe "C:\Windows\Installer\MSI99A5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5675609 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                                                                                                                                                      Imagebase:0x600000
                                                                                                                                                                                                                                      File size:61'440 bytes
                                                                                                                                                                                                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000003.2348129433.000000000478E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:57
                                                                                                                                                                                                                                      Start time:13:35:09
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "5898f009-0c88-42d0-af0f-4e5a5d40fd4a" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q3000005bkCOIAY
                                                                                                                                                                                                                                      Imagebase:0x1c501d30000
                                                                                                                                                                                                                                      File size:219'696 bytes
                                                                                                                                                                                                                                      MD5 hash:01807774F043028EC29982A62FA75941
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2442123567.000001C5028DD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2424358574.000001C501FBB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2440232590.000001C5021B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2495587234.000001C51AF36000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2495587234.000001C51AF12000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2442123567.000001C5028D7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2424358574.000001C501F76000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2442123567.000001C5026BE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2442123567.000001C5028E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2424358574.000001C501F3C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2442123567.000001C5028E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2495587234.000001C51AEBA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2442123567.000001C502818000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2442123567.000001C5026C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000000.2350687897.000001C501D32000.00000002.00000001.01000000.0000002E.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2424358574.000001C501F30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2442123567.000001C5026A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2424358574.000001C501F70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2442123567.000001C5028DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:58
                                                                                                                                                                                                                                      Start time:13:35:10
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "898b7d78-f877-4008-88ae-7d7cecc198d8" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q3000005bkCOIAY
                                                                                                                                                                                                                                      Imagebase:0x1ebdeb30000
                                                                                                                                                                                                                                      File size:201'768 bytes
                                                                                                                                                                                                                                      MD5 hash:D0D21E16E57A1A73056EAE228DA1E287
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2517634081.000001EBDEE90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2496732047.000001EBDEC52000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2679052691.000001EBF7C50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2532274938.000001EBDF751000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2520013020.000001EBDEFA2000.00000002.00000001.01000000.00000041.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2532274938.000001EBDF800000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2532274938.000001EBDFB3A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2532274938.000001EBDFB2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2532274938.000001EBDF899000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000000.2357284880.000001EBDEB32000.00000002.00000001.01000000.00000031.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2489207927.0000009077637000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2532274938.000001EBDF71D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2532274938.000001EBDF7AA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2532274938.000001EBDF616000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2496732047.000001EBDEC10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2532274938.000001EBDF6DE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2532274938.000001EBDF787000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2532274938.000001EBDF6D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2496732047.000001EBDEC9F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2496732047.000001EBDEC5E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2496732047.000001EBDEC1C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2679052691.000001EBF7CCD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2532274938.000001EBDF541000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, Author: Joe Security
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:59
                                                                                                                                                                                                                                      Start time:13:35:10
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:60
                                                                                                                                                                                                                                      Start time:13:35:10
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "6f5a73d1-06cd-46b4-86b8-fdba5613e7c2" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q3000005bkCOIAY
                                                                                                                                                                                                                                      Imagebase:0x1c876610000
                                                                                                                                                                                                                                      File size:27'696 bytes
                                                                                                                                                                                                                                      MD5 hash:797C9554EC56FD72EBB3F6F6BEF67FB5
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2431955997.000001C800001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2468147343.000001C876852000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2485637153.000001C876A00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2468147343.000001C87685A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2468147343.000001C87689E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2468147343.000001C876810000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2482061773.000001C876972000.00000002.00000001.01000000.00000039.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2431955997.000001C80014E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2468147343.000001C87681C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2487819435.000001C877860000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:61
                                                                                                                                                                                                                                      Start time:13:35:10
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:62
                                                                                                                                                                                                                                      Start time:13:35:10
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "d73a02c6-2491-46af-96a3-8578313e700f" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q3000005bkCOIAY
                                                                                                                                                                                                                                      Imagebase:0x1fc5a210000
                                                                                                                                                                                                                                      File size:407'080 bytes
                                                                                                                                                                                                                                      MD5 hash:810F893E58861909B134FA72E3BC90CD
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2624009560.000001FC5B346000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2624009560.000001FC5AEFE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2911735607.000001FC74418000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2927378013.000001FC745CB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2912569582.000001FC7442D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2624009560.000001FC5B38B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2588694913.000001FC5A300000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2886193148.000001FC73417000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2624009560.000001FC5B200000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2592491990.000001FC5A4DA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2624009560.000001FC5B305000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2624009560.000001FC5B0B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2611838691.000001FC5A6B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2910975285.000001FC74405000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2592491990.000001FC5A4A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2624009560.000001FC5AF57000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2592491990.000001FC5A4A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2624009560.000001FC5B391000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2624009560.000001FC5AC61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2592491990.000001FC5A523000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.3121773067.00007FFDF3519000.00000004.00000001.01000000.0000001E.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2592491990.000001FC5A4BB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2624009560.000001FC5AEF4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2624009560.000001FC5B121000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2910820761.000001FC74207000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2624009560.000001FC5B354000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2886193148.000001FC73474000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2624009560.000001FC5AD4A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2624009560.000001FC5B35E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2624009560.000001FC5B261000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003E.00000002.2912330949.000001FC74429000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:63
                                                                                                                                                                                                                                      Start time:13:35:10
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:64
                                                                                                                                                                                                                                      Start time:13:35:11
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:65
                                                                                                                                                                                                                                      Start time:13:35:11
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 129f3953-acb3-4c59-97d2-68ee1acc4037 "49f83d36-063d-4873-a1b6-871acf3a8149" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" 001Q3000005bkCOIAY
                                                                                                                                                                                                                                      Imagebase:0x1a26f540000
                                                                                                                                                                                                                                      File size:52'272 bytes
                                                                                                                                                                                                                                      MD5 hash:3180C705182447F4BCC7CE8E2820B25D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000041.00000002.2456395472.000001A26F6A2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000041.00000002.2422079840.000001A20014D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000041.00000002.2422079840.000001A200001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000041.00000000.2371571451.000001A26F542000.00000002.00000001.01000000.00000033.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000041.00000002.2474043015.000001A26F8E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000041.00000002.2456395472.000001A26F6EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000041.00000002.2456395472.000001A26F66C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000041.00000002.2422079840.000001A2001C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000041.00000002.2456395472.000001A26F660000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000041.00000002.2472321285.000001A26F8A2000.00000002.00000001.01000000.00000036.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000041.00000002.2456395472.000001A26F74A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000041.00000002.2456395472.000001A26F748000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000041.00000002.2422079840.000001A20039C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000041.00000002.2476921845.000001A270620000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:66
                                                                                                                                                                                                                                      Start time:13:35:12
                                                                                                                                                                                                                                      Start date:14/01/2025
                                                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      Disassembly

                                                                                                                                                                                                                                      Reset < >

                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                        Function 04AC1630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: $^q$$^q
                                                                                                                                                                                                                                        • API String ID: 0-355816377
                                                                                                                                                                                                                                        • Opcode ID: 11db3e818f7b38cd1d18a68ea5206d3485fc36981ff438c117cb7505230fd2cf
                                                                                                                                                                                                                                        • Instruction ID: 2377c7fade8195077351db203be44145ab0e370d1be365d8da6a8686aef5bbde
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 11db3e818f7b38cd1d18a68ea5206d3485fc36981ff438c117cb7505230fd2cf
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7D51D171B402099FCB55DF78D850AAEBBF6EFC9350B14812AE818DB365DA309D42CB91
                                                                                                                                                                                                                                        Function 04AC1080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq
                                                                                                                                                                                                                                        • API String ID: 0-149360118
                                                                                                                                                                                                                                        • Opcode ID: 3bf6acd55ce56a225d2ec1ed3df60ead3758330f56060c8b9b6c5ee417eed88e
                                                                                                                                                                                                                                        • Instruction ID: 0dace5e58c5ad516375072c03539c36cf0ca53f6571f87253c2adcd01efffcb2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3bf6acd55ce56a225d2ec1ed3df60ead3758330f56060c8b9b6c5ee417eed88e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C971C535F00214DFEB549BB5C854AAEB6A7BFC8300F148429E506EB3A5DE35EC428B81
                                                                                                                                                                                                                                        Function 04AC0C1C Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq
                                                                                                                                                                                                                                        • API String ID: 0-149360118
                                                                                                                                                                                                                                        • Opcode ID: 1c981c08f1db3b4b29608acd17561dceaf967bdec6b55d3ad160ae3d3f30a861
                                                                                                                                                                                                                                        • Instruction ID: 171acc4d285315d39a885975c7ba305009b69f2427ff5e39a8993e7851aafdda
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1c981c08f1db3b4b29608acd17561dceaf967bdec6b55d3ad160ae3d3f30a861
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CE51E430B04204AFE7549B68D8647AE7FB6EF89314F14846DD506E7386CE78AC068B91
                                                                                                                                                                                                                                        Function 04AC2644 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq
                                                                                                                                                                                                                                        • API String ID: 0-149360118
                                                                                                                                                                                                                                        • Opcode ID: b35e559246d88889f680293e0b91acdda97222cdf3b982ed8293050a2022fdfa
                                                                                                                                                                                                                                        • Instruction ID: 897ea5bb5dc59d1030824d5842174599da9b6436ff4ed0f2ccb4550f270572c4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b35e559246d88889f680293e0b91acdda97222cdf3b982ed8293050a2022fdfa
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CB312422F093541BE7692B75985037E6FAADFD5254F0484FEC905CB682DD68EC4343A1
                                                                                                                                                                                                                                        Function 04AC2764 Relevance: .4, Instructions: 397COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 217a08085fe8d1d7473acc9bf20a44f0111701cec1514bab83db66f7065b83d9
                                                                                                                                                                                                                                        • Instruction ID: 0fe9020a8e453fd21620d594020c519f903259a70e69ef90e59a12fa4b6e7967
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 217a08085fe8d1d7473acc9bf20a44f0111701cec1514bab83db66f7065b83d9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ABE09BB1C062059FE748DF7CD54129ABFF5EA1921075081BFCC08C6A91FA32D943CB51
                                                                                                                                                                                                                                        Function 04AC23B8 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ee8ab8aa2bd093d83f70f0dc7c915a3e518c44560cf528fb6eadf4bc0b7f825e
                                                                                                                                                                                                                                        • Instruction ID: 17cfaddfbb2e2b2fb7d29a1ea1e71720315761693dd062bf83e3a36646a66be7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ee8ab8aa2bd093d83f70f0dc7c915a3e518c44560cf528fb6eadf4bc0b7f825e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 66512436B012159FDB10CB68D990A6ABBB5FF48308B1581E9E518CB262DB31EC43C791
                                                                                                                                                                                                                                        Function 04AC1A48 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9f19824dae783c6a570332bd8acf91d0ed732f43603841ff554dabd19b085873
                                                                                                                                                                                                                                        • Instruction ID: 6ca3a437e9d8f7aa5841d8d40f39d4ccaf95453be8e8baf2c64b295a416f0445
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9f19824dae783c6a570332bd8acf91d0ed732f43603841ff554dabd19b085873
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1731BC32F051447FE3685A797C1566B7B67DFE2340B0A807AC6048F293DC24AC138BE1
                                                                                                                                                                                                                                        Function 04AC2268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c0599ecfc399c87a2c2010367906b0a5d0f99774ef3d8cf6684d1c11acbe169d
                                                                                                                                                                                                                                        • Instruction ID: 96a652b9fe39b3062b9c509f7a374f115e549eb4c99b65fae0ee12aa4158e53f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c0599ecfc399c87a2c2010367906b0a5d0f99774ef3d8cf6684d1c11acbe169d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9B41FA36B10218DFCB54DF68D98099EBBB6FF88714B148169E905EB360DB31EC42CB90
                                                                                                                                                                                                                                        Function 04AC2664 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 21afb4f5abce0614bb61afed6e883bb2b6b9855632487cea8ccc8c33124e74c0
                                                                                                                                                                                                                                        • Instruction ID: 57b5dd22674773b13f0a6e1a6525fabe5a366acc7f447f2c7a242560d2454e8d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 21afb4f5abce0614bb61afed6e883bb2b6b9855632487cea8ccc8c33124e74c0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4B216D37E462146FF7512BB4B9553EA7F68DB45224F0084FAEE089A162CD14988783A1
                                                                                                                                                                                                                                        Function 04AC1050 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 01bbf2ed0a99742d4c0317150d62966f09c1a55944c5e016a7b33aa1b0eb4e69
                                                                                                                                                                                                                                        • Instruction ID: ae3766168456bfc499f11c00de898fda6dd14e2808b3f95a5768fb4999ae3b25
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 01bbf2ed0a99742d4c0317150d62966f09c1a55944c5e016a7b33aa1b0eb4e69
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 32213D32F0126497EB109F78CC506EE7BA6DF85214F04407EC906DB256EA34ED078B91
                                                                                                                                                                                                                                        Function 04AC0F20 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c77078910ccb4fd077f919367898dafe1ec11f8075a4b8b65fb4bdb308e2d2d2
                                                                                                                                                                                                                                        • Instruction ID: 2431b7c4adef5f26e49f08f7ed8a0cde4b5e3ba815d535259429487a37a636ee
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c77078910ccb4fd077f919367898dafe1ec11f8075a4b8b65fb4bdb308e2d2d2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5A01BD36B0D3501BDB251BB919A022F6F99DFC1260F05846EFD08CB302DD24DC0286E1
                                                                                                                                                                                                                                        Function 04AC2258 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: daac8779def9b8823a48c215092e902ce3c72e31161bccfb0e5284625eda58bd
                                                                                                                                                                                                                                        • Instruction ID: b0e19bd0824a974e92513733b3d5477f3b1bcc54ca14ba71a0d81aa3cadb05d7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: daac8779def9b8823a48c215092e902ce3c72e31161bccfb0e5284625eda58bd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F0211775E112089FCB54DF69D88499EBBB5FF8C710F10816AE915AB360DB31A842CF90
                                                                                                                                                                                                                                        Function 04AC0F30 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2b5e661dbc299a245b6af3dcd06cfbd491f5d7f23fd54cd6ae1982fadf0719c2
                                                                                                                                                                                                                                        • Instruction ID: bbe6a601e499110ad557a8c55996e336662ff5a8faeedcf1f50eb5fb64155f56
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2b5e661dbc299a245b6af3dcd06cfbd491f5d7f23fd54cd6ae1982fadf0719c2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7811663170E7884FDB02677869621697F74AF42204B2588EAD409CB693CD08DC8787D2
                                                                                                                                                                                                                                        Function 04AC1958 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8c5a7772055c83d17c55fb1eed9d3743e45592bd5de91acafc4022b935ace178
                                                                                                                                                                                                                                        • Instruction ID: 199d27dd7550975dde7f3960a52fa5d5ccbe734933a72a80d445e54fde6bfe27
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8c5a7772055c83d17c55fb1eed9d3743e45592bd5de91acafc4022b935ace178
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9F118131A00215AFEB14DFA4D858AAABBB2EF8C310F148019E50A97784CF399C47CF90
                                                                                                                                                                                                                                        Function 04AC1378 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 4dec4cdb72b7927a01308f6016830dbe6a27372e19352492f89acd01f9c5a444
                                                                                                                                                                                                                                        • Instruction ID: 8717bd0a8e0923ebb6de6d3205f43de6b0e077e2edb0e7d83c7d54f12e7466f0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4dec4cdb72b7927a01308f6016830dbe6a27372e19352492f89acd01f9c5a444
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E82102B0D042498FDB20DFAAC484AEEFBF0FF48324F10802AD459A7250C7746945CFA5
                                                                                                                                                                                                                                        Function 04AC1380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 93b9374318fdc5cae543cbb8196d6f01bf64cee0de142a5948bf77c1bd354888
                                                                                                                                                                                                                                        • Instruction ID: b32ec341b8c817386f8ef12e0703636f83c174fe5fea4e572fca6ca1f9165209
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 93b9374318fdc5cae543cbb8196d6f01bf64cee0de142a5948bf77c1bd354888
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E411F2B1D042498FDB20DFAAC480AEEFBF4FF88324F10842AD459A7250C774A945CFA5
                                                                                                                                                                                                                                        Function 04AC0F40 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6c17ccc9fa436b0d4d3cf65cec32cd80dd64c1cfc755ed820621b3ad0efdfb33
                                                                                                                                                                                                                                        • Instruction ID: 9d4931c9ad99c5e4c637fa0244edf6e8bd06d2f478825478234b2ab9ab94c68f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6c17ccc9fa436b0d4d3cf65cec32cd80dd64c1cfc755ed820621b3ad0efdfb33
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2501F7343493489FF355A764DC6572A7BA1EB40304F14489DE64D8FAC3C928EC82C702
                                                                                                                                                                                                                                        Function 04AC1968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7544f4d477345430ae88bcd22bec535e75e74169b06b723014c0ddbb4a61ff29
                                                                                                                                                                                                                                        • Instruction ID: 8aaf9f8fb3859cc0c9827063310ee80c229ef888e357899490163906ec4b7fa2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7544f4d477345430ae88bcd22bec535e75e74169b06b723014c0ddbb4a61ff29
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D1113D31A40215AFEB14DFA4D858AAA7BB6EF9C320F144019E50AA7790CF799C47CB90
                                                                                                                                                                                                                                        Function 04AC1440 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 77d2f8649a94f6f9c470c777bc3733cfa540a59a506eafefa82aa1d3f748feb9
                                                                                                                                                                                                                                        • Instruction ID: f3a818baac9def1111e7e7134e1bd6bb72f31e802b962f2e22023a180b83b2a9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 77d2f8649a94f6f9c470c777bc3733cfa540a59a506eafefa82aa1d3f748feb9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C701D470F053095FDB499F7869752263F9AEFC260470508AEC949CF652F914D8478792
                                                                                                                                                                                                                                        Function 04AC182B Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 94d38e2ca06e0fa463dfc81ae8a7f7cdc102d61e38dec941a3d5d0c02dd51c62
                                                                                                                                                                                                                                        • Instruction ID: 5dce18a1312c3d022a1a48407a1a3bc081f4d33a23abd63686d8c51af171c9b2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 94d38e2ca06e0fa463dfc81ae8a7f7cdc102d61e38dec941a3d5d0c02dd51c62
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AC01D131B08109D7FB58AAA88A957EF7BF6DBC8704F20406ED402B7395CE716D029BD1
                                                                                                                                                                                                                                        Function 02F0D005 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1722437419.0000000002F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F0D000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2f0d000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 398c6915cff7680f72a1b775a633089ef24fe37eb16d051190f10dad725f9eda
                                                                                                                                                                                                                                        • Instruction ID: b90645f2cdaadef65ca04dfb6cb0c0d4db36e95895fbd74fccfcbe656f001589
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 398c6915cff7680f72a1b775a633089ef24fe37eb16d051190f10dad725f9eda
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DB014C6140E3C09ED7128B258894B56BFB4EF43624F19C1DBE9888F1E7C2699849D772
                                                                                                                                                                                                                                        Function 02F0D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000002.1722437419.0000000002F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F0D000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_2f0d000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 535a26b28a8e1ac9c7bc8cf5af080f4a8f7ca95d1a89aa217aac8527f7c53a84
                                                                                                                                                                                                                                        • Instruction ID: 56c8d935238ddc593fb3b57d1d378c7316450ad9de7b50c7f8a0939606cf584f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 535a26b28a8e1ac9c7bc8cf5af080f4a8f7ca95d1a89aa217aac8527f7c53a84
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6901F7719083409AE7204A65C9C4F67BF98EF417A4F08C52AEE4C0A1CAC3799841D6B1
                                                                                                                                                                                                                                        Function 04AC2A98 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0f012838eb065286ce30eaacad84ef26847a8104c5b79985d59f7152d08f95e0
                                                                                                                                                                                                                                        • Instruction ID: 8f468beef4b121fc91355f0556e51433c17e27361dbe28a3f6b59c022bece7e3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0f012838eb065286ce30eaacad84ef26847a8104c5b79985d59f7152d08f95e0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 12F05033B067101BD7745F26E4C077E6B6AEFD8754B0480EDDD0487251DD249C4352A1
                                                                                                                                                                                                                                        Function 04AC1BB0 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5e04a90f136955d752f286184e92f86043797e0bfb5d3c9cf5e85422c539db9d
                                                                                                                                                                                                                                        • Instruction ID: 2bfa68c058b5fa8381b7d801d8e64610b967643d0b8e19486206b6136b9afa9e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5e04a90f136955d752f286184e92f86043797e0bfb5d3c9cf5e85422c539db9d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 36F09E35B09B5027D7241B66958071B6F6DAFD5160F05407DED088B303DA24DC038AE0
                                                                                                                                                                                                                                        Function 04AC25D1 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9111d2f6014966f4becc0b3ffb359bf77bf624cf813527a8c1671625d73b7671
                                                                                                                                                                                                                                        • Instruction ID: c9275e08eeb2eaf7a8c95d76291bb36463e8a5dd6824d23c0f2cc38bb16ed9c6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9111d2f6014966f4becc0b3ffb359bf77bf624cf813527a8c1671625d73b7671
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A5F0BE32E110549BEB1C9678E4551EEB777DBCC221B20C03ADD06A76D0EE249C0B8B52
                                                                                                                                                                                                                                        Function 04AC1431 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: cacf6f8054e6d525073088a8fe5d242650902fc7c078e65063478d149067514b
                                                                                                                                                                                                                                        • Instruction ID: 4c3c378b742cb7c6a0cf9fcd2aa4f75d208c41123bafee5b656a34c9deb356e5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cacf6f8054e6d525073088a8fe5d242650902fc7c078e65063478d149067514b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6AF02470F002055EEB0C9F386A6821B3F9AEFD1604705087DC5098F251F924C8438BC2
                                                                                                                                                                                                                                        Function 04AC25E0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2212d519e92da620455bb90a104eeec5f0173604f76bb619942c4798a875b050
                                                                                                                                                                                                                                        • Instruction ID: b0a4629b459c306d3d0ea78bdb63f1a2cf33e31ba098374a4ef6cce15455dabe
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2212d519e92da620455bb90a104eeec5f0173604f76bb619942c4798a875b050
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7EE0E537F1015457CB1C9668E4545EEB77ADBC8210F11803AD817A3380EF705D0ACB91
                                                                                                                                                                                                                                        Function 04AC2654 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 48ac0799558d8744518b5787ee70ed891213b4d94e993f43469b9515c79ec8a7
                                                                                                                                                                                                                                        • Instruction ID: 93cadbec7b60d025baca2b465467d4f15ff023c7a02821d5723d3a684da1d688
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 48ac0799558d8744518b5787ee70ed891213b4d94e993f43469b9515c79ec8a7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 59E09A22F5431802FFB83A685A107A666DE8FA1608F0408BEC802C7682E8E0F84003E2
                                                                                                                                                                                                                                        Function 04AC2590 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 06fe07d5a6154970b109684f1206c0308a2ebb07b26f277853a6fa269b30f144
                                                                                                                                                                                                                                        • Instruction ID: 5032b0b7ec645888693d2dcce418b29cce971c138ebff3ed931d992113ce8512
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 06fe07d5a6154970b109684f1206c0308a2ebb07b26f277853a6fa269b30f144
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 70E0C2B140A6402FE7229378FD925CCBF21DE84204742C4E6C1818FA77EE10C88B4386
                                                                                                                                                                                                                                        Function 04AC17F0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 31f2eed47122b44fc1041dd77508e06e4281b214a68249cafce836856044b6f8
                                                                                                                                                                                                                                        • Instruction ID: 671882c376959efb48d40b410a9fd995f33ba97ad47728e6ddce4caebc518b44
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 31f2eed47122b44fc1041dd77508e06e4281b214a68249cafce836856044b6f8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 47D02E3222E6146FC309A7A8F49B098BFB4AB1A12031480ABEC048B2A6DC204C83C3C1
                                                                                                                                                                                                                                        Function 04AC1C29 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 1bf88d14b840b204e086fe4e02d7791bd4be41f000f582f8f4a041771e18882a
                                                                                                                                                                                                                                        • Instruction ID: c661efb132529b003d3d8c44194cf28f41ab2143097efe92bc9477e50423da07
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1bf88d14b840b204e086fe4e02d7791bd4be41f000f582f8f4a041771e18882a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 00D022BBB1F62817EB1112A42B020D59B148B82A30F0288A2E82CCA102C8054C4202F2
                                                                                                                                                                                                                                        Function 04AC0C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d1b5885165f7cb85c1233727766363803081ac428ddbb1122b5c9ae190ed8bc7
                                                                                                                                                                                                                                        • Instruction ID: 9e7d544e54dc8f17d94964c0ab9c0575e4bbc04efbdc8b8a8d299675766ce2f6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d1b5885165f7cb85c1233727766363803081ac428ddbb1122b5c9ae190ed8bc7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 84D0A7327180186B56046658E88686EBBA9E7992607104437F90293224DD60FC418795
                                                                                                                                                                                                                                        Function 04AC2A58 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0907ca482e39c3d90b673b47ee806f5d4ffcc7220001a56e8404471d74d2067c
                                                                                                                                                                                                                                        • Instruction ID: 092c230e2f09951df9fe55a8f2cbbd21c9fed8d8df2b78bca3448220391d45f9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0907ca482e39c3d90b673b47ee806f5d4ffcc7220001a56e8404471d74d2067c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0CE0E2B5D002099F8784EFB9850166ABBF8AB48204B5085AE8408D7200FA32AA028B91
                                                                                                                                                                                                                                        Function 04AC0F50 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 826f54bf6e2ed608df6e366325099d34ef7fd44599b6181a2d60d30a3c472ded
                                                                                                                                                                                                                                        • Instruction ID: 909c5f98d005326c7f6066e875e47e2ead039777712875770b68608330ba3c24
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 826f54bf6e2ed608df6e366325099d34ef7fd44599b6181a2d60d30a3c472ded
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 95C08C30F883088AFAA02BA62B6833A715C9B80608F00885D780E95005EC29F8800984
                                                                                                                                                                                                                                        Function 04AC0440 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9fb57e37bdd16a5083c57ebb1a4988970445a962e7f35fdcb64f6774166882be
                                                                                                                                                                                                                                        • Instruction ID: 165866519777d9a9fbe328b419d53e125f7c58241e2d9f1402643031d57a3045
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9fb57e37bdd16a5083c57ebb1a4988970445a962e7f35fdcb64f6774166882be
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D6C08CB2E20214CBC6444F4849882F57320EB31202B8480AACA044C0099231622BE928
                                                                                                                                                                                                                                        Function 04AC0E7C Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000003.00000003.1721629878.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_3_3_4ac0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f35ccbd852fe7b1cf0af0a277a0fd0b9f0eeafc75a5473bf90074b9f24d73af4
                                                                                                                                                                                                                                        • Instruction ID: 602dafc461078e853f1db52518e118ac02b9df08012bb59b3fb6efb0acf62103
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f35ccbd852fe7b1cf0af0a277a0fd0b9f0eeafc75a5473bf90074b9f24d73af4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B6B012A5748000577540A7354DD0477809697C0204BC4CC191002B001D5C14F0401404

                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                        Function 06D47678 Relevance: 8.2, Strings: 6, Instructions: 726COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760696818.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6d40000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: Pl^q$Pl^q$Pl^q$Pl^q$Pl^q$x cq
                                                                                                                                                                                                                                        • API String ID: 0-1040424049
                                                                                                                                                                                                                                        • Opcode ID: 957f5203607522e56f671152fe49e100867bd7363e12e4affd7525645fc3d882
                                                                                                                                                                                                                                        • Instruction ID: a6ec0df7abf00b82b3c8ff184966dfc623021a1dcdab86f1aefb6c1ad19f36c8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 957f5203607522e56f671152fe49e100867bd7363e12e4affd7525645fc3d882
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A2524834B006048FD754EF79C994A6ABBE6BF88704B15886DD486CB375EB31EC46CB90
                                                                                                                                                                                                                                        Function 06D40040 Relevance: 1.7, Strings: 1, Instructions: 471COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760696818.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6d40000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: \;^q
                                                                                                                                                                                                                                        • API String ID: 0-2342212615
                                                                                                                                                                                                                                        • Opcode ID: d530b377178dbdf8c8c8afb2a0c1a3ebd14c88f7a7e8b38cec5ef81c47506e3a
                                                                                                                                                                                                                                        • Instruction ID: 112f3475be60f806cce6ae492231a09c245ddcba21b6d871583e80ba88623c3b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d530b377178dbdf8c8c8afb2a0c1a3ebd14c88f7a7e8b38cec5ef81c47506e3a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 20223B30E1061ACFDB54EF78C84469DB7B2FF89304F1186A9D946AB251EB70ED85CB90
                                                                                                                                                                                                                                        Function 06C574B9 Relevance: 20.9, Strings: 16, Instructions: 869COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: `q$$&_q$(_^q$4'^q$4'^q$4'^q$4'^q$4c^q$4c^q$@b^q$|-_q$$^q$$^q$c^q$c^q$`q
                                                                                                                                                                                                                                        • API String ID: 0-3238858861
                                                                                                                                                                                                                                        • Opcode ID: f2914e3034a40f4387e3c6120a9e47fbf00c1a92fadf9fc8526a1d4660e39c38
                                                                                                                                                                                                                                        • Instruction ID: bda69e7458f1406895e8b2ea3365bc3617c7f4900c0f99a76d3d4435f2321d58
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f2914e3034a40f4387e3c6120a9e47fbf00c1a92fadf9fc8526a1d4660e39c38
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4992E370A40218DFDB259FA0C944BEEBBB2FF49300F1044EAD5096B264DB369E85DF91
                                                                                                                                                                                                                                        Function 06C574C0 Relevance: 20.9, Strings: 16, Instructions: 867COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: `q$$&_q$(_^q$4'^q$4'^q$4'^q$4'^q$4c^q$4c^q$@b^q$|-_q$$^q$$^q$c^q$c^q$`q
                                                                                                                                                                                                                                        • API String ID: 0-3238858861
                                                                                                                                                                                                                                        • Opcode ID: de2cfd9a1562ffaab57e63e2423fdd6e771221ea38a55566527b6a0752f7f940
                                                                                                                                                                                                                                        • Instruction ID: 6e5b4ff3b9ad09bafc90b28191aeca5cb454d8951108fa0e5b58b8f8efd48a8e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: de2cfd9a1562ffaab57e63e2423fdd6e771221ea38a55566527b6a0752f7f940
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5692E370A40218DFDB259FA0C944BEEBBB2FF49300F1044EAD5096B264DB369E85DF91
                                                                                                                                                                                                                                        Function 06C5B688 Relevance: 4.0, Strings: 3, Instructions: 225COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq$\;^q$|]q
                                                                                                                                                                                                                                        • API String ID: 0-2188306192
                                                                                                                                                                                                                                        • Opcode ID: 9cfd2e275611efc080f8a3d06c4a370a944ef3bbd0e1e66843241f2831c1c05d
                                                                                                                                                                                                                                        • Instruction ID: 08483b0c51232d187ca6fb1adf3822af18dc0365721d452cef844292284f387a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9cfd2e275611efc080f8a3d06c4a370a944ef3bbd0e1e66843241f2831c1c05d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1861F575F401174FD7449A6A886067FBBA7BFD4280B11802ADC02C73A8EE34CD4287E6
                                                                                                                                                                                                                                        Function 06C585C0 Relevance: 2.9, Strings: 2, Instructions: 425COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq$d
                                                                                                                                                                                                                                        • API String ID: 0-3334038649
                                                                                                                                                                                                                                        • Opcode ID: e28a65b3f2707edba2fd3cf46106d926deb1c947a208f58e82988b067c4fdc6e
                                                                                                                                                                                                                                        • Instruction ID: bd584a9a5c226ef5ffbd819b360d6bbb172adc65b58ea745a7d2c88e57a8e3b7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e28a65b3f2707edba2fd3cf46106d926deb1c947a208f58e82988b067c4fdc6e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E6F19C34A016158FDB54CF59C88096ABBF2FF88314B16C669D85ADB365DB30FC82CB94
                                                                                                                                                                                                                                        Function 06C51630 Relevance: 2.7, Strings: 2, Instructions: 158COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: $^q$$^q
                                                                                                                                                                                                                                        • API String ID: 0-355816377
                                                                                                                                                                                                                                        • Opcode ID: 4ae4bc01a611b29534a22f156ef7042fb6113ea2b6f163aafa13bafc8c30eb29
                                                                                                                                                                                                                                        • Instruction ID: cd89a479927f7ada8f34e1b98c3009eff839e8725592594aad2cb842fd1274ad
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4ae4bc01a611b29534a22f156ef7042fb6113ea2b6f163aafa13bafc8c30eb29
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9351EF31B002099FC754DF78DC446AEBBF6EFC9250B19812AE819DB364DE309D82CB95
                                                                                                                                                                                                                                        Function 06C53747 Relevance: 2.6, Strings: 2, Instructions: 96COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq$LR^q
                                                                                                                                                                                                                                        • API String ID: 0-516514815
                                                                                                                                                                                                                                        • Opcode ID: 05d2b6b96da9a18449cad0266318290fe1769f2a1146436359f2ae151776c55a
                                                                                                                                                                                                                                        • Instruction ID: f2d2b0e88c64f9ffa0da1bb7e931d2a286ff72846558d1e4a823b39daef68fff
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 05d2b6b96da9a18449cad0266318290fe1769f2a1146436359f2ae151776c55a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ED312171F082948FDB89DB348C6423E3BB7EFC6240B15846EE806CB391EE348D058759
                                                                                                                                                                                                                                        Function 06C599B8 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq
                                                                                                                                                                                                                                        • API String ID: 0-149360118
                                                                                                                                                                                                                                        • Opcode ID: 13a1f6966bc02128ef248e6f466a588070a53ee8ddf64aa14ae58545145e1003
                                                                                                                                                                                                                                        • Instruction ID: 55558baf1870f595885577fdfca967409e47d1c9d8a863cb80d01440219a4b96
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 13a1f6966bc02128ef248e6f466a588070a53ee8ddf64aa14ae58545145e1003
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7AE10834A003998FDB55DF68C984A9DBBF2FF89300F158199D809AB3A5DB70ED85CB50
                                                                                                                                                                                                                                        Function 06D49FE0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • KiUserExceptionDispatcher.NTDLL ref: 06D49FF8
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760696818.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6d40000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 6842923-0
                                                                                                                                                                                                                                        • Opcode ID: 6a7359aec57365786f12106abd38093912e316ec541a0675e9a0d9fd744026d6
                                                                                                                                                                                                                                        • Instruction ID: 2057a17f4b012250c972c769b94f74331a79cd0ee68a4bf602be66380c95e34a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6a7359aec57365786f12106abd38093912e316ec541a0675e9a0d9fd744026d6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CD115C36E412049FEB50EF7AD4403EDB7B5EB88328F1C8525D91563298EB32AD09CB50
                                                                                                                                                                                                                                        Function 06D49FDB Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • KiUserExceptionDispatcher.NTDLL ref: 06D49FF8
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760696818.0000000006D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D40000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6d40000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 6842923-0
                                                                                                                                                                                                                                        • Opcode ID: 2fc31dbd26189276ad5928def40666b8b04ff9b46bfd666b0e833c5809087153
                                                                                                                                                                                                                                        • Instruction ID: 7aaf2f90408baecfe247e3c6393110ceb9feaedbc47f78e34967e446ad53eca3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2fc31dbd26189276ad5928def40666b8b04ff9b46bfd666b0e833c5809087153
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 91113835E412449FEB50EF36D4403ED7BB5EF89324F1C8518D91163298EA32AD09CB91
                                                                                                                                                                                                                                        Function 06C5BE40 Relevance: 1.5, Strings: 1, Instructions: 273COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: Qk^
                                                                                                                                                                                                                                        • API String ID: 0-2991522343
                                                                                                                                                                                                                                        • Opcode ID: 33c4ed6b3d6cd6bc2a09cdb92aef2803f89a55addbb08fe479e7360331fa379f
                                                                                                                                                                                                                                        • Instruction ID: a68ba2551397b400860e4b723c3fbedaf6edb91cb38d6a93d50fe10234e1c458
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 33c4ed6b3d6cd6bc2a09cdb92aef2803f89a55addbb08fe479e7360331fa379f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3CB18D74B006018FCB55DF39D998A6AFBF2FF88204B04856DD9168B365EB30ED46CB91
                                                                                                                                                                                                                                        Function 06C51080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq
                                                                                                                                                                                                                                        • API String ID: 0-149360118
                                                                                                                                                                                                                                        • Opcode ID: d7166449363304429ee14a2ce6c77b5942899cebc514d825d9b2b3870d7aca9b
                                                                                                                                                                                                                                        • Instruction ID: e8b01a84c7cf946bc770389b01700e99711d8d57f087d68feb93eb86b7815435
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d7166449363304429ee14a2ce6c77b5942899cebc514d825d9b2b3870d7aca9b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B371B271B002048FDB44ABB5CC5876EB6A7AFC9310F198429E906EB3A4DE31DD82C795
                                                                                                                                                                                                                                        Function 06C56C20 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq
                                                                                                                                                                                                                                        • API String ID: 0-149360118
                                                                                                                                                                                                                                        • Opcode ID: 1ed94c5377802d92dd9ece0859c545de60611b8e15dd60bca35c64eac92584aa
                                                                                                                                                                                                                                        • Instruction ID: 88634e8f779a6a4be6138ef01c7c161b8edf9eed25c54b42572154e9bb64c26d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1ed94c5377802d92dd9ece0859c545de60611b8e15dd60bca35c64eac92584aa
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6F717030B001158FCB54DF69C994A6EBBF6FF88310B618568E8069B3A5DF30ED85CB95
                                                                                                                                                                                                                                        Function 06C5BE33 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: Qk^
                                                                                                                                                                                                                                        • API String ID: 0-2991522343
                                                                                                                                                                                                                                        • Opcode ID: b4478606639121e115d6ff126a7f9fea7c4a60b37ded020fcff807a0750ed338
                                                                                                                                                                                                                                        • Instruction ID: 90a517fc113d2aaae1ecab171b4fb8a692bbb8ad7e4d99ffb98e7bed8120592b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b4478606639121e115d6ff126a7f9fea7c4a60b37ded020fcff807a0750ed338
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 91717C74B006018FCB55DF39D99496AFBF2FF88200B04866DD9568B365EB30ED46CB91
                                                                                                                                                                                                                                        Function 06C5E438 Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (Acq
                                                                                                                                                                                                                                        • API String ID: 0-1548273396
                                                                                                                                                                                                                                        • Opcode ID: e5d3a846eee4742e5628f7113a139e763cccca5a88bd638e5f396cc6690e4d29
                                                                                                                                                                                                                                        • Instruction ID: de77b52ff4a46ac62cdd93066ae8bed1e13bb8b239d7f8b2e8e338b4722b7974
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e5d3a846eee4742e5628f7113a139e763cccca5a88bd638e5f396cc6690e4d29
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 01617E70B10215CFDB549F69DD94B6EBBA2AF88240F154029D902D7390EF70DE86CB95
                                                                                                                                                                                                                                        Function 06C5E42F Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (Acq
                                                                                                                                                                                                                                        • API String ID: 0-1548273396
                                                                                                                                                                                                                                        • Opcode ID: 7a763f1d7d3e1a90ffca1e9aaa3d36d2a1593b37b82af6407d09760609832eec
                                                                                                                                                                                                                                        • Instruction ID: c22b6eaa455980c66d6bdbc8de7b8f052a73d66394edbbcbdd8a1572feb542db
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7a763f1d7d3e1a90ffca1e9aaa3d36d2a1593b37b82af6407d09760609832eec
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D9419F70B102199FDB44DFA9D894AAEBBB2FF88240F114129D812EB390EF709D45CB95
                                                                                                                                                                                                                                        Function 06C5EA88 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq
                                                                                                                                                                                                                                        • API String ID: 0-149360118
                                                                                                                                                                                                                                        • Opcode ID: 5e31e42c9c2ebbc42b96fa3dbcbc87d049df171e57103d7b2fbf3a1322e2cdbd
                                                                                                                                                                                                                                        • Instruction ID: d246888a1910b89f4d8c050db0a0e6cd9b32c977e151b03b0975ced720974fd4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5e31e42c9c2ebbc42b96fa3dbcbc87d049df171e57103d7b2fbf3a1322e2cdbd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7A31E030B002154FDB48AB7EC85497EBBA7EFC8250711443DE906CB350EE30DE4587A9
                                                                                                                                                                                                                                        Function 06C585B8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq
                                                                                                                                                                                                                                        • API String ID: 0-149360118
                                                                                                                                                                                                                                        • Opcode ID: d8cd78e2cf56fc788844b3c9b7d6bd4b1feb5488a5efee07fa41c3c468a40b1a
                                                                                                                                                                                                                                        • Instruction ID: 3341670be3124039779919f21e3ea01939d1b7b3522381a31595e925ceda6466
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d8cd78e2cf56fc788844b3c9b7d6bd4b1feb5488a5efee07fa41c3c468a40b1a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AB417A34B006158FDB54DF59C884A6AB7F2FF89314B16C569E81AEB350CB30E981CF98
                                                                                                                                                                                                                                        Function 06C50C1C Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq
                                                                                                                                                                                                                                        • API String ID: 0-149360118
                                                                                                                                                                                                                                        • Opcode ID: e5e91b8a18e5711736e4c61cb569e4da1dd059023c63b15762a8f0ce20482c88
                                                                                                                                                                                                                                        • Instruction ID: a19554468687cff8e10d001bdf3f33539254bfc41f8dcb9f2c780d619ff298ca
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e5e91b8a18e5711736e4c61cb569e4da1dd059023c63b15762a8f0ce20482c88
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4D314730B042949FD7956B398C6436E7BF69FC6310F2A446ED842EB382CE744D49C7A6
                                                                                                                                                                                                                                        Function 06C545C8 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq
                                                                                                                                                                                                                                        • API String ID: 0-149360118
                                                                                                                                                                                                                                        • Opcode ID: 04773251dab97fb63c626c37b2aa7220e14e3119060b942a9763b578aa196e1b
                                                                                                                                                                                                                                        • Instruction ID: 35363ca28dd729d99761a6cc92f09b1b6ef9f6e60306888759497e8f82104666
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 04773251dab97fb63c626c37b2aa7220e14e3119060b942a9763b578aa196e1b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A22105343013409FC744DB2DD844A2AB7EBEFCA31471980AAE50ACB352DE30EC86C7A5
                                                                                                                                                                                                                                        Function 06C5A228 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq
                                                                                                                                                                                                                                        • API String ID: 0-149360118
                                                                                                                                                                                                                                        • Opcode ID: be8b06e4d2a7d3237d13da54393d5fed537c2a94baf59273c51fd707af53de3f
                                                                                                                                                                                                                                        • Instruction ID: b34ec1d5e89e36ebddd899fb07c3cf945583ff3e4a25b9fa035094e776640dc8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: be8b06e4d2a7d3237d13da54393d5fed537c2a94baf59273c51fd707af53de3f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 40316134B001149FDB54DFAAC854B9EBBF6EB88710F218159E905BB380CB71ED41CBA4
                                                                                                                                                                                                                                        Function 06C5AAA7 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: k
                                                                                                                                                                                                                                        • API String ID: 0-140662621
                                                                                                                                                                                                                                        • Opcode ID: bbffe8f7ba968d30c39af5e00b084feeecf68309b2f849dd4d1b63b77c678d7f
                                                                                                                                                                                                                                        • Instruction ID: 1c126a89dae610a6bbbd0cecde0f3c5f6b045307c24fd5ee222d695be5d71a94
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bbffe8f7ba968d30c39af5e00b084feeecf68309b2f849dd4d1b63b77c678d7f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0621A674E0534D9FCB41EFA8D8509AEBFB2EF49300F11019AD845AB355DB349E84CB95
                                                                                                                                                                                                                                        Function 06C5AF10 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: \;^q
                                                                                                                                                                                                                                        • API String ID: 0-2342212615
                                                                                                                                                                                                                                        • Opcode ID: 9a39a29e339d2455fdcce5678120cf4c7df2302adf29b263068a9444c8a22189
                                                                                                                                                                                                                                        • Instruction ID: a4190af64d263b4380ce179b0dfd7056aaf85270416028b77969fa9c20d5dd6a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9a39a29e339d2455fdcce5678120cf4c7df2302adf29b263068a9444c8a22189
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3F11C6727002024F9B589AEEA884A5BF7DAEFC8264315813FF50EC7758DE61EC4043A4
                                                                                                                                                                                                                                        Function 06C55F47 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: LR^q
                                                                                                                                                                                                                                        • API String ID: 0-2625958711
                                                                                                                                                                                                                                        • Opcode ID: a81eb0837392f1a18f20122bf18bfa3f69ececcb5f56f733bf036e028e3042f1
                                                                                                                                                                                                                                        • Instruction ID: 866b3b2cfeae7fcd221d7e434ff5396c24acce6252bee777acbc6812d817e3d0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a81eb0837392f1a18f20122bf18bfa3f69ececcb5f56f733bf036e028e3042f1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C3219334B101149FDB589F69C855AAE7BF6EF8C610F11801DE902E73A0DE71AD41CFA9
                                                                                                                                                                                                                                        Function 06C55F48 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: LR^q
                                                                                                                                                                                                                                        • API String ID: 0-2625958711
                                                                                                                                                                                                                                        • Opcode ID: 5bb17306f0564a8707f2cab51c2da178cfd3d673dd6a301410a57b0042abf281
                                                                                                                                                                                                                                        • Instruction ID: abd690045d08c1917e23290493ac2d27f2533c58d522cc45cdc3b887d1faf4da
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5bb17306f0564a8707f2cab51c2da178cfd3d673dd6a301410a57b0042abf281
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 27218134B101149FDB589F69C855AAEBBF6EF8C610F11801DE902AB3A0DE71AC41CFD9
                                                                                                                                                                                                                                        Function 06C568E0 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq
                                                                                                                                                                                                                                        • API String ID: 0-149360118
                                                                                                                                                                                                                                        • Opcode ID: ef49e7ea80523d91b13f4666bae25980b5278f280503be0ece2ce4e634d4f5fb
                                                                                                                                                                                                                                        • Instruction ID: 3b957002b217b3cb070073b5ee4c65b169b0abbcf4cf802f208455b3f9943f89
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ef49e7ea80523d91b13f4666bae25980b5278f280503be0ece2ce4e634d4f5fb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5F115136700108AFCB45DFA9D844E9DBBF6EF89350B14C0AAEA09CB361DB31E915DB50
                                                                                                                                                                                                                                        Function 06C5337B Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: fcq
                                                                                                                                                                                                                                        • API String ID: 0-2768158334
                                                                                                                                                                                                                                        • Opcode ID: 09612eba22c17054c5696be4287810b488f908d9bf52adf01729b0bbac0492aa
                                                                                                                                                                                                                                        • Instruction ID: f68df6411872fc7181df15c77a1ae04618cedc9f5b7c10bb69f05bda627bc8f3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 09612eba22c17054c5696be4287810b488f908d9bf52adf01729b0bbac0492aa
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 02117035B011156FDB099FB5A854ABF7FA6FBC8710B04802AF90AD7340DF3599068B95
                                                                                                                                                                                                                                        Function 06C53380 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: fcq
                                                                                                                                                                                                                                        • API String ID: 0-2768158334
                                                                                                                                                                                                                                        • Opcode ID: 10ebbab436925e3b84193235cc40de226dee13f57e69bd3fbcde4109d957b413
                                                                                                                                                                                                                                        • Instruction ID: 67d3913548fb081910076358e1cdadd7b54e2aa783410e4ac52a25cf6b5be9b9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 10ebbab436925e3b84193235cc40de226dee13f57e69bd3fbcde4109d957b413
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 49118E35B011146FCB05AFA5A854ABFBFABFBC8610B048029FA0AD7340DE3599068B95
                                                                                                                                                                                                                                        Function 06C557B8 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq
                                                                                                                                                                                                                                        • API String ID: 0-149360118
                                                                                                                                                                                                                                        • Opcode ID: 8aba7fa806d8a49d605be306c1522cece02bc02bd006f76086a7f0a489c705f4
                                                                                                                                                                                                                                        • Instruction ID: 8bc7c509682ba95c20ebeae07de9d32cc08db09d6988ca34cbfc5798da2704b4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8aba7fa806d8a49d605be306c1522cece02bc02bd006f76086a7f0a489c705f4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CE01F2343052414FC745AB3DD85092E3BE7AFC621432845BED44ACB7A6EE35EC46C365
                                                                                                                                                                                                                                        Function 06C5C4D8 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq
                                                                                                                                                                                                                                        • API String ID: 0-149360118
                                                                                                                                                                                                                                        • Opcode ID: fc46bb385aef5a5c2fdd667ea1fd9ea2c53e2d83f182b5eb9ea5f5f805279f5a
                                                                                                                                                                                                                                        • Instruction ID: 8c954a31638965b13016918b8068d498d9c5f6eff2abd0f30934cc48d88f9de4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fc46bb385aef5a5c2fdd667ea1fd9ea2c53e2d83f182b5eb9ea5f5f805279f5a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 97017D307043900FC3519678581461E77E6DFC2210751817EC84ACB395DD74DD45C3F5
                                                                                                                                                                                                                                        Function 06C5A3A8 Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq
                                                                                                                                                                                                                                        • API String ID: 0-149360118
                                                                                                                                                                                                                                        • Opcode ID: f938a7347944202b9a589c159df711b462b690bbfd0f5756e81331977c4ac1ad
                                                                                                                                                                                                                                        • Instruction ID: 3f1b28922c759e0eaddfb1bfb0f8aa412500f16e19c78739b6f57190af5e4bb3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f938a7347944202b9a589c159df711b462b690bbfd0f5756e81331977c4ac1ad
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D2017831A0E2E48FC34A5BB99C541197FA3EF9224431881DDC88A8F667DE26DC43C795
                                                                                                                                                                                                                                        Function 06C56048 Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq
                                                                                                                                                                                                                                        • API String ID: 0-149360118
                                                                                                                                                                                                                                        • Opcode ID: a2b4fc66b39308c2c99a9d105fc54e48e733832fc12b739d053db7f8b1e2d519
                                                                                                                                                                                                                                        • Instruction ID: 80e5048b943afbea3d22d5584ea658373c19930fe048016ecaedf3aa900ebd4f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a2b4fc66b39308c2c99a9d105fc54e48e733832fc12b739d053db7f8b1e2d519
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F9012B313057A08FC3249B69E40425FBBE2FFC1744714482EC58747751DFB4A849C765
                                                                                                                                                                                                                                        Function 06C5BC33 Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq
                                                                                                                                                                                                                                        • API String ID: 0-149360118
                                                                                                                                                                                                                                        • Opcode ID: 63a0dfaf7967b518905d16e4fca4b2a7c1ac49f91b8c9df42d254453feca40ce
                                                                                                                                                                                                                                        • Instruction ID: 57dc8f3dea9796e25085c97d4e0d34312ce964ead9e22f5bf605778ccb856696
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 63a0dfaf7967b518905d16e4fca4b2a7c1ac49f91b8c9df42d254453feca40ce
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EAF0FC317051604FD7896A79A42432E7FD7DB85251760406AED07CB781DF34AE4187DD
                                                                                                                                                                                                                                        Function 06C599B0 Relevance: .3, Instructions: 295COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 145815a42664cc0624baeb9cad0997ce6c36b7ab98d4835cdcdc2ea04be89fd0
                                                                                                                                                                                                                                        • Instruction ID: 27bee8d188385340a20e33705af222385ddaeae509da81f68fe4befdf4174861
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 145815a42664cc0624baeb9cad0997ce6c36b7ab98d4835cdcdc2ea04be89fd0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FAD1F734A00399CFDB55DFA8C984A9DBBF2FF89300F158199D809AB265D770ED85CB50
                                                                                                                                                                                                                                        Function 06C5ABA0 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d919bfdbdc3cb79f55a3de3d77a442d1d9dc25cfe3bc6a0e0faf28d8117a6c10
                                                                                                                                                                                                                                        • Instruction ID: 10039bb9bf2ef862bc9449a9a9506dc4a4a0b3e231e7e92267df04101ed3a651
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d919bfdbdc3cb79f55a3de3d77a442d1d9dc25cfe3bc6a0e0faf28d8117a6c10
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 74511A347401018FD788AF6BD898A2977E6BF8971132681ADE906CB375DF32EC81CB54
                                                                                                                                                                                                                                        Function 06C5E7D8 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0fb9d39e1fc747d2b53350c567a63fa90865b474033bea8b7366d442dddff3ab
                                                                                                                                                                                                                                        • Instruction ID: 6f18f798d65ee7710e8f76dc715b7a2a642dc9893ba2ffde58a8db62d6bd4b2a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0fb9d39e1fc747d2b53350c567a63fa90865b474033bea8b7366d442dddff3ab
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A861AF31B002059FDB48DB69D9946AEBBF7EF88644B10842DD806D7390DF70EE45CB95
                                                                                                                                                                                                                                        Function 06C55483 Relevance: .2, Instructions: 151COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 494bbcc1d67e6f80ca419d9502cd3e24d01e651183b74b0332551c09a99caa95
                                                                                                                                                                                                                                        • Instruction ID: 8ade8c083312087643c5370053a8af7d9fadb070262c8f8e9e1ab42dac8f9ffb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 494bbcc1d67e6f80ca419d9502cd3e24d01e651183b74b0332551c09a99caa95
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 44512AB4A00209EFDB04EFA4D9546AEBB76FF88300F504419EA16773A4DE316D89CB75
                                                                                                                                                                                                                                        Function 06C560D9 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 855df19b75baa8ba7e3e2f8f3b363457225d38be2050910868f33a1917484569
                                                                                                                                                                                                                                        • Instruction ID: 18d3c8e07098fabc54879b79714427135ee6723c2763de557cf2556595a1c567
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 855df19b75baa8ba7e3e2f8f3b363457225d38be2050910868f33a1917484569
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A751C8B4E012189FDB45DFE4C8A0ADEBFB6EF88300F105029D616773A4DE356D45ABA1
                                                                                                                                                                                                                                        Function 06C56C1B Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 899300761ca409cc52d8b9f1a30c59dfc3a6c3adf64fd53eb7a2ce323123f674
                                                                                                                                                                                                                                        • Instruction ID: 502d84805ecd02183bc18688aa1b04c331a552a0ede7af9d2c8f6a5d609fd132
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 899300761ca409cc52d8b9f1a30c59dfc3a6c3adf64fd53eb7a2ce323123f674
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 35517030B001058FCB54DF69C984A6EBBF2FF88310B618569E816DB365EB30ED85CB95
                                                                                                                                                                                                                                        Function 06C560E0 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f63b21467fe0c51b492072825a51d94ec4b79d29774282fed7278eb5d22907b3
                                                                                                                                                                                                                                        • Instruction ID: 1b53b5349bf3d0774b07013fc58c2040a4e953df0223ec81bf27ea751412cdb4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f63b21467fe0c51b492072825a51d94ec4b79d29774282fed7278eb5d22907b3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EF51D9B4E012189FDB45DFE4C8A0ADEBFB6EF88300F105029D616773A4DE356D45ABA1
                                                                                                                                                                                                                                        Function 06C534B8 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 670075d054f26e838ccc55bbee4b5ea3ab0c366f6f59c87a8aa0eac7a5f873b4
                                                                                                                                                                                                                                        • Instruction ID: 314f9630115e543b0f247682459bb6d2fcd3155f043700574f0490fa98fc7879
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 670075d054f26e838ccc55bbee4b5ea3ab0c366f6f59c87a8aa0eac7a5f873b4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CB5172347111069FCB45EB68D95056EBBA3EFC4244B148A28D90A8B368EF71FD8E87D1
                                                                                                                                                                                                                                        Function 06C55490 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: fbc02e897dd7b333bd418eefadd535dcf1395812f9ddcb008a5ef4cd760bfe63
                                                                                                                                                                                                                                        • Instruction ID: 91154c367c1cbb7a8001d31de0909f62f590bb75816270f3c60a12a30d5bd5ed
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fbc02e897dd7b333bd418eefadd535dcf1395812f9ddcb008a5ef4cd760bfe63
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E151EA74A00209EFDB04EBE4D9546AEBB76FF88300F504819EA16773A4DE316D89CB65
                                                                                                                                                                                                                                        Function 06C534B3 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: eb77048a92a5de60e637556704c88bf59bbf5fb2f7355a4e58f6adf4cd0b95d5
                                                                                                                                                                                                                                        • Instruction ID: 428349b2c41ce1013f789c320f8200d2d55db0f1bc513efe90a78302b52f40d8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eb77048a92a5de60e637556704c88bf59bbf5fb2f7355a4e58f6adf4cd0b95d5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 294182343111069FCB45EB28D95056EBBA3EFC4244B048A28D90A8B368EF71FD8E87D1
                                                                                                                                                                                                                                        Function 06C5E1F0 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0b385874025881f7de7aad3c47c2b2c90da7234666e2720b4c3da7b22a5de802
                                                                                                                                                                                                                                        • Instruction ID: dd683601894723eb0fb31e01cb23d84a416f1e3802d9286a091cdc6847955266
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0b385874025881f7de7aad3c47c2b2c90da7234666e2720b4c3da7b22a5de802
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4F516E71E012498FCB55DFA9C89499EBBB2FF89300F254069E805EB365DB70EE46CB50
                                                                                                                                                                                                                                        Function 06C56EC3 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3daad930757dd9034e8bdaae9e0614bfb1cc0176b9bf9122fa010ba39fedc775
                                                                                                                                                                                                                                        • Instruction ID: 3f61d82cd27ad28bee2703aa4ea22c72bb11997decd92e46f9926b78544ca47a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3daad930757dd9034e8bdaae9e0614bfb1cc0176b9bf9122fa010ba39fedc775
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5941A570F00195CFC3A85E6B884413B7BE6BBC8B013654C5EE8869E658CE3199C1CB99
                                                                                                                                                                                                                                        Function 06C56EC8 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 62d0c8af0eb395add88f6f6ee70be144b67daad6bcd829071a6fb24b47313250
                                                                                                                                                                                                                                        • Instruction ID: 81f018027a4366bc4a4b6e4134cd70de8902043f1e0256ee9672732990ae0069
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 62d0c8af0eb395add88f6f6ee70be144b67daad6bcd829071a6fb24b47313250
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E7418370F04195CFC3A85E6B884413B7BE6BBC8B013658C5EE8869E658CE3199C1CB99
                                                                                                                                                                                                                                        Function 06C5E7CF Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b9549666db0bb55c6477f6f5a5d2dcb7d2343543e466f2e9e2a86e4738e9840f
                                                                                                                                                                                                                                        • Instruction ID: c978e781549a769324a16b73fd8e5b432430d2a84f40cb7c46583bea173f3ca1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b9549666db0bb55c6477f6f5a5d2dcb7d2343543e466f2e9e2a86e4738e9840f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AB41B331B001049BDB489B79D8546AEBBF7EF8C640B21842DD816E7340DF70AD45CBA5
                                                                                                                                                                                                                                        Function 06C56990 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: aa66804b383dd9aac1b4bd28e27bd559237341512fa7ddfe0d81f436bfdc2862
                                                                                                                                                                                                                                        • Instruction ID: af5193fbf54ea87da28a6f4bba146888eeeaf1d4a86a6fde95cc4b265d2c9ec2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aa66804b383dd9aac1b4bd28e27bd559237341512fa7ddfe0d81f436bfdc2862
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C941287AB002168FCB51CF59C9809AABBF6FF8D30071581A9E919EB325D730ED51CB90
                                                                                                                                                                                                                                        Function 06C5E7C7 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ec38c5f4b0557f3d29819c85a478ddf13cd316a2760e7e46fb946793da3f84a2
                                                                                                                                                                                                                                        • Instruction ID: caed12cbab2f73a44a7478d5978f6528c0600982287a254ab8fd9f055aca44a3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ec38c5f4b0557f3d29819c85a478ddf13cd316a2760e7e46fb946793da3f84a2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 34319C31B001058BDB499B79D8547AEBBF7AF8C644B21842DD816E7380DF70EE45CBA5
                                                                                                                                                                                                                                        Function 06C5698B Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: bfb5131b5b7a8aaa6e8ca3030ef8d50c1f48b2981ce9970b552919248d65bb58
                                                                                                                                                                                                                                        • Instruction ID: 3e6295d8cd2b469e4d4954bab38a3e2439c73022c4aa165c3a7df492dbad89e5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bfb5131b5b7a8aaa6e8ca3030ef8d50c1f48b2981ce9970b552919248d65bb58
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1D41F579B002169FCB40CF69C9809AABBF6FF8D300B158199E91ADB325D730ED11CB90
                                                                                                                                                                                                                                        Function 06C5F69B Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 48bcff28e523e92cb24e57f066d42fa8435b9a051d47b089306b00bc3847e1ea
                                                                                                                                                                                                                                        • Instruction ID: 6debf3d7ac5bc3d074fff26c52f709422eb90c42ba07e6e9baf678dd63b7dbab
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 48bcff28e523e92cb24e57f066d42fa8435b9a051d47b089306b00bc3847e1ea
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A541BC30B042558FCB55DF79C888A6EBBFAEF89200B04446DE546C7366DB30E949CBA0
                                                                                                                                                                                                                                        Function 06C52268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7ffd3369d682a03842e5acd82ef6258271fd9392ef544d4b1baf562bf3dce573
                                                                                                                                                                                                                                        • Instruction ID: 653f68167630a9e1f073b72155ad7dec5113dafec613dc2f6007dcc3a1b621f6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7ffd3369d682a03842e5acd82ef6258271fd9392ef544d4b1baf562bf3dce573
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 21413A36B001089FCB54DF68D88099EBBF6FF89710B158169E905EB360DB31ED42CB94
                                                                                                                                                                                                                                        Function 06C5E1EB Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 1954095eb91f250116be35918f04e8ed2de9cad622b9bc966e651bea9e23f2a1
                                                                                                                                                                                                                                        • Instruction ID: b04d1155cdb87828e455ff07b058609fc4cabbd35bfcff45c39162d369c6ab02
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1954095eb91f250116be35918f04e8ed2de9cad622b9bc966e651bea9e23f2a1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 62415375E012498FCB14CFA5C98499DBBF2FF89310F154169E805AB364DB70EE46CB50
                                                                                                                                                                                                                                        Function 06C5F6A8 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0fc5ce3726a4334cdebe9100f7464f381d85a28a29c8d000bd366a468e8a46e0
                                                                                                                                                                                                                                        • Instruction ID: a406fb93b252bcf64281ef9630eda8aeb8835d29923c62106527778dde1c3e0a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0fc5ce3726a4334cdebe9100f7464f381d85a28a29c8d000bd366a468e8a46e0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B841BF30B002558FCB54DB79D888A6FBBFAEF89300B04446DE546C7365DB70E949CB60
                                                                                                                                                                                                                                        Function 06C5B080 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 38a6ac336fcdf73828806373ce5f67830375e1e8dd29b976489aae38da1c2def
                                                                                                                                                                                                                                        • Instruction ID: 7058849b0be57e106e556a93e48eaa98e5ad9f7fbf5dd40e4cffc6f5527311f2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 38a6ac336fcdf73828806373ce5f67830375e1e8dd29b976489aae38da1c2def
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0531BE35B001068FCB50CAA9D990AAAFBAAFF84210B15C16AE919C7755DB31ED41CBA0
                                                                                                                                                                                                                                        Function 06C5E1E0 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8b70fa770fae4731c1f9d5fa0ddb66725e77b3f304af02bbb006f713fe0e489e
                                                                                                                                                                                                                                        • Instruction ID: b23a83a7c889b4024f1a6f1a97e1605ba59639e38c464596488591a135f5b1bd
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8b70fa770fae4731c1f9d5fa0ddb66725e77b3f304af02bbb006f713fe0e489e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C2414C75E002498FCB04CFA9D98499DBBF2BF88310F158069E805AB364DB30EE86CB40
                                                                                                                                                                                                                                        Function 06C5C568 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8d23625868ffdb748d8e4ae38e06d9c6544830c061de2a13be221d69944bd7d1
                                                                                                                                                                                                                                        • Instruction ID: 42aa76c21e85c867f41f14dcd34f7a79b2c665edf0bebc6df07f135ca94593d6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8d23625868ffdb748d8e4ae38e06d9c6544830c061de2a13be221d69944bd7d1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C23185357047418FC325CF25D998A26FBE3EF85304749CA6CD94A8B766CA30F986CB50
                                                                                                                                                                                                                                        Function 06C528F8 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 40706294647bec98c0e632ed485ff44aabd0ab99b167f52df769515e1d237c86
                                                                                                                                                                                                                                        • Instruction ID: 6fadcecd251d380a80ca7ebae18da93fd14408b1a0bce36d410ffa0fd531ff46
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 40706294647bec98c0e632ed485ff44aabd0ab99b167f52df769515e1d237c86
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E721AC6145E3E05FD743AB78ADA52C93FB09F43204B1A01D7D4C1CB1A3E928998EC7A6
                                                                                                                                                                                                                                        Function 06C5C563 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e1f62ecb46c2f79939030dad0ce2fc2c41e5d0c7c104e82b3a5412c6ef28feeb
                                                                                                                                                                                                                                        • Instruction ID: e52232ff717f1016a7aa53557ce754b4f1f4583b4cbaf6cbd0506c80869d004c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e1f62ecb46c2f79939030dad0ce2fc2c41e5d0c7c104e82b3a5412c6ef28feeb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4B31AE352007018FC324CF25D988926FBF2FF893047198A6CD94A8B766CA30F986CB90
                                                                                                                                                                                                                                        Function 06C5B598 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 648c44a1ab201f13e079a63d2bb160f1a067b85d175be408951d56071efddd15
                                                                                                                                                                                                                                        • Instruction ID: 2b29622f4b0284207a24d02872d5ecf3fd7194a939bc22e9064bf9cc6954c871
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 648c44a1ab201f13e079a63d2bb160f1a067b85d175be408951d56071efddd15
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9521AF34B00209CFDB489A75ED546AABBA6EB84711F008479ED05CB350EF71ED86CB90
                                                                                                                                                                                                                                        Function 06C5B930 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: cd35884b2328f1229eb808cb2f2aeb7fe660c1b203e6003b2f3f58efa319ab1a
                                                                                                                                                                                                                                        • Instruction ID: ea147340973a0a093a1b4bae852852f96fc031e559cb165cae6a5425e8241a50
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cd35884b2328f1229eb808cb2f2aeb7fe660c1b203e6003b2f3f58efa319ab1a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4F1193727543014FD794DA1ED890A2BBBE6EFD8260715803FAC4AC7754EE71EC418394
                                                                                                                                                                                                                                        Function 06C50D4C Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 808f853e8bd32a166724db0d9c3784be13be5ff8be736e518a4eae42f264ec91
                                                                                                                                                                                                                                        • Instruction ID: 8debd46c91ac951110951b36db2a433d8acfb5d0b54510ce8ee874d58a7e77d6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 808f853e8bd32a166724db0d9c3784be13be5ff8be736e518a4eae42f264ec91
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 281136713093545FD315AA7998247AA7F9ADBC2620F0404AEE54ACF291EE21CC4983FA
                                                                                                                                                                                                                                        Function 06C5B593 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e3db05cbb7d16a67877247f85f92bbac7ba612ab181ec6fcc907952048df320d
                                                                                                                                                                                                                                        • Instruction ID: 84ca76d30852e04c821960783bfec3b24a4e6bd0523472f8a4a70417e36667e7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e3db05cbb7d16a67877247f85f92bbac7ba612ab181ec6fcc907952048df320d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7C11CD34B00205CFDB489A35DD55AAABBA6EB84310F018469ED01CB390DF31ED82CB90
                                                                                                                                                                                                                                        Function 06C52258 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 389b388698ee648888c92f6cbdfde99b0a1b77653184b121b528bcefad56c221
                                                                                                                                                                                                                                        • Instruction ID: 29777026e5d320073fabe5a739376e3662055efc996ad534cb395566b933c72f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 389b388698ee648888c92f6cbdfde99b0a1b77653184b121b528bcefad56c221
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AD210875A101189FCB54DF69D8849DEBBF1FF8C710F10812AE815EB320EB319942CB95
                                                                                                                                                                                                                                        Function 06C5A21B Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5d4b46ffe4d21ba4ca32d831725066df4476f580ec882d9563b4419c3e736216
                                                                                                                                                                                                                                        • Instruction ID: 21b4abfe1fc092909b8afd8e0b0ce91bce6d6389729e34634237c19a2187cc08
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5d4b46ffe4d21ba4ca32d831725066df4476f580ec882d9563b4419c3e736216
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6B114D74E042099FDB54CF96C884B9ABBF5EF88710F218159E905B7250CB71ED41CBA4
                                                                                                                                                                                                                                        Function 06C53A35 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: bd5cebe0764f769a636269d2d3b3534fc4b52bc294cbb119d4ee30f1566a7fdd
                                                                                                                                                                                                                                        • Instruction ID: 8bb2a965db7347a3642b1d53424d1b1d46bdc21c3dbdfafe927ae9c1474931fd
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bd5cebe0764f769a636269d2d3b3534fc4b52bc294cbb119d4ee30f1566a7fdd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9911CD74A00104AFCB44DBA9CC54B9ABBB7EFCC310F058429E809AB380DE759985CB94
                                                                                                                                                                                                                                        Function 06C53A38 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9dc620c41b842bc2566542b1cd211f6c8f6a9e74b27f8144ac4891f5e4564803
                                                                                                                                                                                                                                        • Instruction ID: 9de4a8aa47b6fb3016e043ee3d7756f4e39280ebe5d805a3f6e08fe369e09059
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9dc620c41b842bc2566542b1cd211f6c8f6a9e74b27f8144ac4891f5e4564803
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F711AF74A00144AFCB44DBA9CC54B9EBBB7EFCC310F058429E809AB790DE759985CB94
                                                                                                                                                                                                                                        Function 06C51378 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 02905d5f8ca684bed00f937b61b633fb41eeb2843aff0705570c6e360d9fd5e2
                                                                                                                                                                                                                                        • Instruction ID: 95af1e1eee78086b84f33aaf5672eb0a6264f68b74cae218efeb00e8494f328b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 02905d5f8ca684bed00f937b61b633fb41eeb2843aff0705570c6e360d9fd5e2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7B21F0B0D042498EDB10DFAAC884AEEFBB0EF88324F10852AD859A7250C7346945CFA5
                                                                                                                                                                                                                                        Function 06C5AAE0 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9ccafb6ceeadf7eee1cce6870c82a9cc53a1e35c1a54f31c96fac0c6b5621600
                                                                                                                                                                                                                                        • Instruction ID: 92c11b26e3ee3b0c5de85aee567b644165e1b02975067ce09cf63b0a5bb04dcb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9ccafb6ceeadf7eee1cce6870c82a9cc53a1e35c1a54f31c96fac0c6b5621600
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9B21B774E0020DDFCB44EFE8D9909AEBBF2EF88314F514599E805A7354DB34AA84CB95
                                                                                                                                                                                                                                        Function 06C51380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 62022298b1ab52c38f723f4302ba833e2178bbfaa8f6b8bfc235e1cd9265818e
                                                                                                                                                                                                                                        • Instruction ID: 3a2faf5dbb223242b049cff1b08ea4921edcb52c682fcb97c7c7819e13082538
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 62022298b1ab52c38f723f4302ba833e2178bbfaa8f6b8bfc235e1cd9265818e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BA11E0B5D042498EDB10DFAAC884AEEFBF4FB88324F10842AD859A7250C7746945CFA5
                                                                                                                                                                                                                                        Function 06C51440 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 84018ba619194a0cafd0630469e9ac23d10d2332eca3dd060dbdcc23faa99007
                                                                                                                                                                                                                                        • Instruction ID: 49e50da74d58982208a927c5e9246d9b62e4233f497bfcb88590950e4e875dd6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 84018ba619194a0cafd0630469e9ac23d10d2332eca3dd060dbdcc23faa99007
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8201F570A193851FCB098FB45C292263FEAEEC250870A1CAFDA49CF651EA10C54583D2
                                                                                                                                                                                                                                        Function 06C52998 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ed531d56f4a9b3f797e00366344340533cb8bfd1248520713ab0eafdbd888e3e
                                                                                                                                                                                                                                        • Instruction ID: a3c641eb0b69b94c9305368eeeb0c548ec22f8f531b146fc64aaf3eef865132c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ed531d56f4a9b3f797e00366344340533cb8bfd1248520713ab0eafdbd888e3e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8711C4305193449FC712DB30ED517957FB1EF42200B12499BE881DB262EB34AE4EC795
                                                                                                                                                                                                                                        Function 06C51968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3856fda6aa61c2aa2cc549652b70b617f5f4715915d3ca163207386a4759e2f7
                                                                                                                                                                                                                                        • Instruction ID: bacbcf4321999a6f4247724167afc3a2974fa5569899bb00e473bc6ddd1a14b7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3856fda6aa61c2aa2cc549652b70b617f5f4715915d3ca163207386a4759e2f7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 46116075600144AFDB04DBA8D858BA9BBB7FFCD314F54441AE909AB340CF755945CB90
                                                                                                                                                                                                                                        Function 06C51829 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 70031be7434059b169af4e82919140f69fccc79b0ff77f1c0ec0044a0005f564
                                                                                                                                                                                                                                        • Instruction ID: c3e37b8004fcd43ac9d8b95a7e1bdcddd9446b93ce1a5092ce61089b918e8eba
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 70031be7434059b169af4e82919140f69fccc79b0ff77f1c0ec0044a0005f564
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6801A731B041159BE7649A688C597BF79EB9B88300F26442EE802F7780DE754D40D7E6
                                                                                                                                                                                                                                        Function 0466D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000002.1761330252.000000000466D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0466D000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_466d000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2e0024bbf3911f16026738d0c2a906cf948602f9e27cd8cb4aeae274d13d50a8
                                                                                                                                                                                                                                        • Instruction ID: 5abd195d8ef998b68c7bdfe6bff566d53853ea4ef9ad113d3cc4ea9cac5611bc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2e0024bbf3911f16026738d0c2a906cf948602f9e27cd8cb4aeae274d13d50a8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D101D071608340A9D7104E25DD84B57BF98DF51324F18C55AED494B246E379E845C6B1
                                                                                                                                                                                                                                        Function 06C556C3 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 62192d02e97cc26afcc9b67be7a25f10af389359826f430870ce367e91c4e2cc
                                                                                                                                                                                                                                        • Instruction ID: 98ae9525ca759999d482753b990b37d8242b0014744a0d5e997ad4a074cd0951
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 62192d02e97cc26afcc9b67be7a25f10af389359826f430870ce367e91c4e2cc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4A01F2702053406FC311A7799854AAEBF96DFC1308740456DE20B8B355DFB1A84D87B1
                                                                                                                                                                                                                                        Function 06C567E3 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 04228f6484f9e31395e74634708ea223f51d2a50837831edc1cb23d557f94813
                                                                                                                                                                                                                                        • Instruction ID: 0996498cd29ec8ea3b20455400b5517e5e0fcfeeed6321319cc8aab8c8a6765f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 04228f6484f9e31395e74634708ea223f51d2a50837831edc1cb23d557f94813
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E9018874D01208BFCB84EFB4D9405ADBFB5EF45200B0085E9D405E7351DA306F49DB65
                                                                                                                                                                                                                                        Function 06C5CB90 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 067b7caea97a970365093a38c2cd4564bd8df9f676fd3e0853e6d5c6331c0c01
                                                                                                                                                                                                                                        • Instruction ID: 32410b47999d8a0bbdffa635b2b2feea0fd0bb38331458e061df86046779e991
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 067b7caea97a970365093a38c2cd4564bd8df9f676fd3e0853e6d5c6331c0c01
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5DF090377082244F9744AA6DAC84A2FB7EAFBC49A1315013EE909C7350DB61CC41C794
                                                                                                                                                                                                                                        Function 0466D006 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000002.1761330252.000000000466D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0466D000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_2_466d000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a72ffe13b2cd9e59e96887ca65b83d770a868dd3389aaedaf7c97d0028046b91
                                                                                                                                                                                                                                        • Instruction ID: acfdf38dc96e155ccb1e23040b05a1d451a04d6c50860fa45d41a7ec2de850e4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a72ffe13b2cd9e59e96887ca65b83d770a868dd3389aaedaf7c97d0028046b91
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C01717150E3C09ED7128B259C94B52BFB4EF53224F1DC1CBD8888F2A3C2699849C772
                                                                                                                                                                                                                                        Function 06C5B07B Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 4c2bd041e8e05bc59b5f5d1fda58190a1dd9b7eb46e8c4b0bdc97606062b9021
                                                                                                                                                                                                                                        • Instruction ID: dac224ba350b2f4f8b07365bdbec7faacd56eb237b71b38c3a6c4c0ab2301548
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4c2bd041e8e05bc59b5f5d1fda58190a1dd9b7eb46e8c4b0bdc97606062b9021
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 24F02834B001069BCB148A699D4095BFBAAFFC4250704C13AE91CC7754DF31EC42C7A0
                                                                                                                                                                                                                                        Function 06C538C0 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 034873d5961326e8cb0bf6a382229d374745000b6b8e90df4506f8aa63dd8c5a
                                                                                                                                                                                                                                        • Instruction ID: 16c8d6d8889e55f26e5d2616c361ac5b1c32a6c265754d0c28451f3540e5d59d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 034873d5961326e8cb0bf6a382229d374745000b6b8e90df4506f8aa63dd8c5a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 60F0C860B182D80BE7A866744C2036F1ECA4B82780F06406DCD96CB782ED99DD8563EA
                                                                                                                                                                                                                                        Function 06C54F3E Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3cdf505bf77f07d5b55a49c7fb17639289e2dce9af04e756a36aa153dc11a4bb
                                                                                                                                                                                                                                        • Instruction ID: 71f0f329eb76240a45c4d1ef106e8e6fe8ccfa1da559ce9b79b7996cefc8d8b4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3cdf505bf77f07d5b55a49c7fb17639289e2dce9af04e756a36aa153dc11a4bb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DE01D235740205CFCB05DF68D98099AFBA1FF843187148669E5199F32AEB31ED5A8BD0
                                                                                                                                                                                                                                        Function 06C5B92B Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: cbcd6c86294d4357941f7014a989b409306e833cfaa38dedf728b6900bdad80e
                                                                                                                                                                                                                                        • Instruction ID: c6501f0a413da2b6eba94ea6703f610d14c3dd535073eb71327c66afecbaea01
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cbcd6c86294d4357941f7014a989b409306e833cfaa38dedf728b6900bdad80e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 38F0AF757402014FD798CA1DD8A0A7ABBEAEFD8260715803DE80AC7754DA31DC41C760
                                                                                                                                                                                                                                        Function 06C56769 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 008e81a8b2d63247f13215dd3cf13ef1a59fdf4ba70674c052f89c5736491481
                                                                                                                                                                                                                                        • Instruction ID: 8b8cb8cd80f8d4de22ba91b07673fe38c41f6f440a58eae22a1a8a17ae6e38b7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 008e81a8b2d63247f13215dd3cf13ef1a59fdf4ba70674c052f89c5736491481
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4E01A236B01505CBDB50CB65CA8055DF3E2FB88365B928639C81A97354D731ED86CB84
                                                                                                                                                                                                                                        Function 06C5E3EB Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 32b624f45f1c09f292939222168b7f7d527761cc7efacecc5dacf92308d59cd1
                                                                                                                                                                                                                                        • Instruction ID: 690eeab1e5e9ea09989a7679f3565a44de8d3d1b3a65e13ee9186c0f2f8af36f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 32b624f45f1c09f292939222168b7f7d527761cc7efacecc5dacf92308d59cd1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2101F972B102104FD7019B99D85077D7763EBC8620F11841EDA129B344DFB0BE498BE4
                                                                                                                                                                                                                                        Function 06C53D47 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 359af1f40cf68604e08c161c92acff5f2c907a66a03245826166d66437050967
                                                                                                                                                                                                                                        • Instruction ID: c24f3f7d99a9454303b2eb1b03c69d5cde5835f29261d738b1ca4050c2102f9f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 359af1f40cf68604e08c161c92acff5f2c907a66a03245826166d66437050967
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8401F4B290E2C08FD702DB7898A41C87FB0DE1310031B01DEC486CB263E5684B05D722
                                                                                                                                                                                                                                        Function 06C5E36A Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f9587c97d883ecc99673bfd09cd5b0046c9213d96b803eb1b4aa7829483ddc80
                                                                                                                                                                                                                                        • Instruction ID: 453817afe6b57b60a36cb8539b60dd16ca537307c8f5657b609fa588252391ae
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f9587c97d883ecc99673bfd09cd5b0046c9213d96b803eb1b4aa7829483ddc80
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 49F02272B502104FC70196989C1037D7363FBC8660F15842EDA16AB344EFB0BE0A8BF8
                                                                                                                                                                                                                                        Function 06C5BC88 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6b1f1e63845f5b59a1ae53dfc6063a41976acc8f212eee29d4155181a096ceca
                                                                                                                                                                                                                                        • Instruction ID: 1a5d774a65e22b5330c6a85df7325550e07a52c58d0850a8d8adeaa9f7f7c87a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6b1f1e63845f5b59a1ae53dfc6063a41976acc8f212eee29d4155181a096ceca
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 08F089327441180FD754EAB9A85469E7BD9DB88A60B1504AAE50DCF250EE22EDC1C398
                                                                                                                                                                                                                                        Function 06C556D0 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 105728e7b4e59986f9d74ce60ff4fcb86e8e6e99b08f5365de6611bcc80f511b
                                                                                                                                                                                                                                        • Instruction ID: b823a8a4715ab5c69b24d185a8e1777a05828c539f883cfb6d8ac17cf7eab008
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 105728e7b4e59986f9d74ce60ff4fcb86e8e6e99b08f5365de6611bcc80f511b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C4F0CD703002046FC754ABAAD44466EBB96EBC0314B80492CE20B8B354DFB1A84E87B4
                                                                                                                                                                                                                                        Function 06C546A0 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5203d20d1d626d34833f035f30e38223d9e64f9742ad98583d8c7929c489cc06
                                                                                                                                                                                                                                        • Instruction ID: 77eb095765f06c79fdb28db27b59770f87df69337931598100a4e02a1874a6bf
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5203d20d1d626d34833f035f30e38223d9e64f9742ad98583d8c7929c489cc06
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ECF0E9307063456FC74497559C04AA97BEADF86310F1281D6FA06CB255C939884183A1
                                                                                                                                                                                                                                        Function 06C567F0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 4c049ec70eaa1424c7bce293a1e2d524dfdfcb23ad98df578669ff32d491d771
                                                                                                                                                                                                                                        • Instruction ID: ef1ae7ec0e07cb1e4f0db71eaa48dd7acbf1f992a7f57c86f053f110797c5fdc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4c049ec70eaa1424c7bce293a1e2d524dfdfcb23ad98df578669ff32d491d771
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F9011274E00208EFCB84EFA8D94159DBBB5EF84204B5085A9D915E7351EA30AB499B54
                                                                                                                                                                                                                                        Function 06C51431 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3e21d8e8bc3b2c4ace4b3f963c04d2e594bc593d466b0d07add797ddb630da9f
                                                                                                                                                                                                                                        • Instruction ID: d9b9b44e3bbfe3d1aaa5d25edc0a04c07c0779c1368b70d466679ab678176603
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3e21d8e8bc3b2c4ace4b3f963c04d2e594bc593d466b0d07add797ddb630da9f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 74F0A474A442454FCB089FB498292267FDBFAC26087461C6EC649CF250FB20C546C7C2
                                                                                                                                                                                                                                        Function 06C5AF07 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8fefc7c991894b062a64796c9fbe3ba210c46a5a08ab29063a6fdc8491502884
                                                                                                                                                                                                                                        • Instruction ID: c11e998a4821a131559238de871e92314a03031c71b459c42835cb14c5084b4b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8fefc7c991894b062a64796c9fbe3ba210c46a5a08ab29063a6fdc8491502884
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 02F0A0717042066F875486AF688489BBBEEEFC8264715817EF90AC7315EE61EC0183B4
                                                                                                                                                                                                                                        Function 06C5CB8B Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f0e3a38658168273d09c0b57acad65caf99fab469a1557394dcf26ab9b3295cb
                                                                                                                                                                                                                                        • Instruction ID: b5e9da59aa43fa42a9a0d316a61150c0f6acafb1266332846c4bade1f88af188
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f0e3a38658168273d09c0b57acad65caf99fab469a1557394dcf26ab9b3295cb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1FF0A7367052155F97549E6EDC54A2BBBFEEFC45A0315017DE505C7351DA70CC01C790
                                                                                                                                                                                                                                        Function 06C5859B Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: bc474b8859b2576cc00678ce6028c99caa33a8b5f21d17abff52e60904537472
                                                                                                                                                                                                                                        • Instruction ID: 1b393aee482dc85acb4eb40a1b19f6cb75128a091df69b8ea4429c0207b37c19
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bc474b8859b2576cc00678ce6028c99caa33a8b5f21d17abff52e60904537472
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 19F0E976B013118FDB50DB98E840925B392EFD43647528539FA168B364DB31DC81CB54
                                                                                                                                                                                                                                        Function 06C5EA83 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: cd97601825ad8116d60c2f54d6d53397177d2e8bcb04789cc96b624d40939962
                                                                                                                                                                                                                                        • Instruction ID: 458772ba5b26aaf66588501e7a7089c371e68c44dcdc1ff77b2f0d56842e6dbb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cd97601825ad8116d60c2f54d6d53397177d2e8bcb04789cc96b624d40939962
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 65E0E5367002011B5618266E985096FB7EFEBCC8503360039E50AC7340DD629C0282B5
                                                                                                                                                                                                                                        Function 06C546C8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0abec0d73c5b96830ff848017c7f17a897be707413457567e2d3cf817f6725a6
                                                                                                                                                                                                                                        • Instruction ID: 63c5efdc28cc9ab0b3a7da1c87e4d0204ba67b9e7bfe39ddd2b343b721ba1c2c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0abec0d73c5b96830ff848017c7f17a897be707413457567e2d3cf817f6725a6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2EF05E70E0634CAFCB44DBA8E8045EDBBF9DA45311F0181E6E909D7250DA344A45CB95
                                                                                                                                                                                                                                        Function 06C5C688 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: aa435afe052ef5db7dc0fba6da28936d682ad7457c7adca4e95f70030df5a17b
                                                                                                                                                                                                                                        • Instruction ID: 4ada75946bb48014a90f95984039348c2fdda9b3afddb873b54957f090d9ed3f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aa435afe052ef5db7dc0fba6da28936d682ad7457c7adca4e95f70030df5a17b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 67F0A0357103128FC744D679A900566B79AAF882A430595BDDD08C7728EE71D842CB80
                                                                                                                                                                                                                                        Function 06C5455B Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9c10f511a311f8645831afffc459b2a5448b4107c4f6490ce2aef8b542d01311
                                                                                                                                                                                                                                        • Instruction ID: 48270ddeb97a42a0aa781fdc79a20720a6b6faecaad3de1df561c22fda2a9afb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9c10f511a311f8645831afffc459b2a5448b4107c4f6490ce2aef8b542d01311
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 46F0E5713406111B8669A66DA81441FBBC6EFC5260350853DE61FC7304DE64EE8987B9
                                                                                                                                                                                                                                        Function 06C56041 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ccde166c091f10ae5c85699704dd7b449a5aec66690c23a3001e4a68c0a94a81
                                                                                                                                                                                                                                        • Instruction ID: 43a6551ab9b552df2f53a69037f73135a0b1f23188a169f6f83939f06dda457e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ccde166c091f10ae5c85699704dd7b449a5aec66690c23a3001e4a68c0a94a81
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 72F0B431105BA09FC3319B19EC08687FBE5EFC0708B00492ED5C647661DBF1A588C7A9
                                                                                                                                                                                                                                        Function 06C568DB Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: aa4982c75be1c6eeb291deb23aa96d8b1ba460f3ec7719e64c240ebdfcff1c0d
                                                                                                                                                                                                                                        • Instruction ID: 78d2c5ca91270dec601313481a9742ee6613f3a84f23d8a35db6f0f35c445ff6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aa4982c75be1c6eeb291deb23aa96d8b1ba460f3ec7719e64c240ebdfcff1c0d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0EF03736B00509AF8711DF59E844D8ABFF9EF8925074580AAF55CC7321EB31D954CFA4
                                                                                                                                                                                                                                        Function 06C557B1 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0bd08cf29f8c3f67e446f98ff5b755bad10aa65bf7332d88d6a6ac90d2d4664c
                                                                                                                                                                                                                                        • Instruction ID: 99ac4f07ba9868aa9df83613611140d897364d78cdbdf5a167af31680d1dc6cc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0bd08cf29f8c3f67e446f98ff5b755bad10aa65bf7332d88d6a6ac90d2d4664c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4CF0E5303003014FCB10DA2DDC80A6A73DAEFC8264745443DE446CB324EF21EC46C794
                                                                                                                                                                                                                                        Function 06C53980 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d24b48c8341a415b2167431adc500754b0d6b813bdd83160a7edd0c35a275197
                                                                                                                                                                                                                                        • Instruction ID: 1f347a00e5fc7ba70a990e6dd52104be1f3b78facf8b3391130be6eba4dd887d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d24b48c8341a415b2167431adc500754b0d6b813bdd83160a7edd0c35a275197
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 83E06822A512692ED38130653C153F72A484B81361F064029EE1C86290ED08C8C092A4
                                                                                                                                                                                                                                        Function 06C5576F Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 4223e06a3d7e83fbc75dd1e24939630991cf8d41599d26e7e08d33f13f23561a
                                                                                                                                                                                                                                        • Instruction ID: 3f8f23d90ccd510859c12734ab1dd7fd792abb319c3a3a2ab8e61defb2d3ecf7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4223e06a3d7e83fbc75dd1e24939630991cf8d41599d26e7e08d33f13f23561a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 06E0AB3510AB408EC762E618AC40C82B7A4EF81268316CAAFE04F9F516D2606DCA43A4
                                                                                                                                                                                                                                        Function 06C5C4D3 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8e609554b954f469a7ec2a473b4fbc9f8be3eb8223024ee79d462e8fab06ace4
                                                                                                                                                                                                                                        • Instruction ID: c4f4f267a8e309d80d7ea10cec91528bdc69ebbe21c12a4c778ecc72ac4db59d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8e609554b954f469a7ec2a473b4fbc9f8be3eb8223024ee79d462e8fab06ace4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 18E02B313003006BC3328579AC00A9BBB99CBC1610B41463DDC4947514EE70DD84D2F4
                                                                                                                                                                                                                                        Function 06C5310C Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ff6e407928ba6f93e9b6fa9b64ee18780bf35d70a2fa5eb78d663687289fc311
                                                                                                                                                                                                                                        • Instruction ID: de663d3d2b53dfa8278e8cabbb8408aee64666ddde108b07add9ce9e8e36286e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ff6e407928ba6f93e9b6fa9b64ee18780bf35d70a2fa5eb78d663687289fc311
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FCE02292A5F3D02FC30313782C641BABF188E83110B0688E3EE45DF253DC04888583B9
                                                                                                                                                                                                                                        Function 06C5AEBF Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3fb4c0463a1b902172d7d222650a4ab6389c0db80f34fa45ea5c5cbdd51b4b30
                                                                                                                                                                                                                                        • Instruction ID: 9050b4fe869f37c7190e7ce1006afc7e6597618e0d804c5b23849380e3bd198f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3fb4c0463a1b902172d7d222650a4ab6389c0db80f34fa45ea5c5cbdd51b4b30
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 98E0921630D3D54FD74347B53C2409A3F22D9C31747A682E7E686CA9A7C828981A8376
                                                                                                                                                                                                                                        Function 06C55753 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 388cad057c6edea3da52bb1df5fb5d6f7ce8c5c9dbff13563f76c41189a952e5
                                                                                                                                                                                                                                        • Instruction ID: de5fb021d96d0bdcc9173cdef119f0801e5d7a8c673b02385d7a44f8e14b4d64
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 388cad057c6edea3da52bb1df5fb5d6f7ce8c5c9dbff13563f76c41189a952e5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9BE020322863045FC7416BECB8405AE7F55EAC1114750417BF14DCB115DA24588943B5
                                                                                                                                                                                                                                        Function 06C545C0 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: eb8536d9a72ec016c82aa26c7ad8e0bfcb4af2cd090418a6a2b6f1dcd94d9c34
                                                                                                                                                                                                                                        • Instruction ID: a691cde56e7f3ed23c2d544d30de0a6fcb72fbd74eb323af0db5a6da61d1dbf2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eb8536d9a72ec016c82aa26c7ad8e0bfcb4af2cd090418a6a2b6f1dcd94d9c34
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5BF0A0313006028FCA24DB6DE944A6E7BE3EFC9354308497DE44ACB324DB31EC868790
                                                                                                                                                                                                                                        Function 06C54560 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7c83327879959e445fd7090990670e3957bde98a343a7d496c79fd22d9f49dea
                                                                                                                                                                                                                                        • Instruction ID: face71a4aecaa9f23d5430995cba690a2cd767cc0e4e9bebe31dd4a72f11c059
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7c83327879959e445fd7090990670e3957bde98a343a7d496c79fd22d9f49dea
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E7E022713006001B8229A26EA80041EBAC6EFC4360340843CE71FCB304EE34EEC983A9
                                                                                                                                                                                                                                        Function 06C5AB99 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: cc0756ee9446869498ba95822a62bb2712652f3f38dbf324f7af1211499726d2
                                                                                                                                                                                                                                        • Instruction ID: ef407d7df63c57086cad45a02defa57dcf8b7110c8cd8d9cc958728cc761463d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cc0756ee9446869498ba95822a62bb2712652f3f38dbf324f7af1211499726d2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B6E0D8313012045FD754AE6FAC8CA5ABBDFEBC9666B5541B9F50AC7351CA61CC048690
                                                                                                                                                                                                                                        Function 06C538BB Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7062615ab823ed1b275a851702b536bf85392f72548226a789cf88f7f24ccf5d
                                                                                                                                                                                                                                        • Instruction ID: 083974ceaa62e49ce1af2ad0ced9a0b9e65053d0f7d87128512c88f9ae6fe4b6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7062615ab823ed1b275a851702b536bf85392f72548226a789cf88f7f24ccf5d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9AE01260B2429807EAE451B55D003AB5DCD4B417D4F02003DDC9A86746FAD9D9C063E5
                                                                                                                                                                                                                                        Function 06C539E0 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0aaa90674e17982dd384b55deee32cd7e7407b940de2db82fccb8c164c77ac64
                                                                                                                                                                                                                                        • Instruction ID: 8a51595210df1b534caa08dfd97b5cb0377a2b8f508cd94a0195a9160a57baa3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0aaa90674e17982dd384b55deee32cd7e7407b940de2db82fccb8c164c77ac64
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ABE04F3654015CBBDF862A96AC04BEA7F5AFB893B0F518029FD5C45220EA3589A0E794
                                                                                                                                                                                                                                        Function 06C536B3 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: de948f9024f1533cfae8ea742717a84eebf89cb48177592b9ab969a600900faa
                                                                                                                                                                                                                                        • Instruction ID: 723f4c88e87254d88cb0f60ce46a376c3cbcc7141aef9cebd683991625aa64fb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: de948f9024f1533cfae8ea742717a84eebf89cb48177592b9ab969a600900faa
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A6E01AB0E1025AEF8B94DFA99D012EEBBF4AF48280B10446DC91EE7200F33187418FD0
                                                                                                                                                                                                                                        Function 06C536B8 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                        • Instruction ID: c1996c094625bbdedb6fd504e80bf9fabcab6b71bbbf33670d4309155d0f7da2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C6E01270E0025ADF8B80DFA99D011AEBBF4AF48190B11856DC91DE7340F7319A41CFD4
                                                                                                                                                                                                                                        Function 06C5C67F Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 160cdc236333b9b24f3636e79ac9ecada6f6344e20a5175dc44927bd7e674c71
                                                                                                                                                                                                                                        • Instruction ID: 3f7afce04be3c84b29e7c49c23ec3462d18ff1f24370a25b28a176c91ef19fb6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 160cdc236333b9b24f3636e79ac9ecada6f6344e20a5175dc44927bd7e674c71
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 82E0C232B003029BC71549719A057B3F79BEF84190F1596699D0486718DE36D983C694
                                                                                                                                                                                                                                        Function 06C5C1DB Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ced8e53b4f4f6f4e508c88b4967660039b35dc860f91eb291ef87ef64abd9840
                                                                                                                                                                                                                                        • Instruction ID: 48c94968c3be1326930e41725428489c5abb16d4896c6242ff1d2d0398303f2b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ced8e53b4f4f6f4e508c88b4967660039b35dc860f91eb291ef87ef64abd9840
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 13E072302003002BC6147B29E008AAF7BEAFFC5364B08002EE60783B00DEB0B8468BE4
                                                                                                                                                                                                                                        Function 06C53CCB Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 439148cb3a09e61fc7214567d820ce92ad7dd7e35a72fa514952c8013d789112
                                                                                                                                                                                                                                        • Instruction ID: dea3cd3a18ee152aaf3ff8d5ba103c0ac79b4fbc55986d5d64bbd50d7a3b6b33
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 439148cb3a09e61fc7214567d820ce92ad7dd7e35a72fa514952c8013d789112
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 84D05E36701160130A5929AE7818A7E7B9FCBC59A1369012EEB0BC3B40EF656D4653EA
                                                                                                                                                                                                                                        Function 06C56AB8 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: abbae34cbe0e562a7ce72ec9a3862b11806caf9ad935ce6e38e4e92e087a937e
                                                                                                                                                                                                                                        • Instruction ID: 9bcc5e9d923044c7e68d867580acbc5e943322c9a19828329f88d824f262a2f0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: abbae34cbe0e562a7ce72ec9a3862b11806caf9ad935ce6e38e4e92e087a937e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4EE04F716102089F8314DF4CD980C51BBE9EF592547568199E889CB722D732ED12CB90
                                                                                                                                                                                                                                        Function 06C517F0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a954d4af4e325bdd21dfc2ebc58e8e42a400d4b8519d23e27db08208f60032c9
                                                                                                                                                                                                                                        • Instruction ID: 5255c0b119df56fd61042e8fcc96c0c27495230dd9e1cb95e1e08c1b59057d1f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a954d4af4e325bdd21dfc2ebc58e8e42a400d4b8519d23e27db08208f60032c9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D6E0C23220D2645FC3066F10D851494BFB4AF0A21031500ABF8D1CB262DA614D59E791
                                                                                                                                                                                                                                        Function 06C5C1E0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b53c9952eaf3c90a9205e81e92a4f336f3e27572c85d887bacab35e5ab1bf12b
                                                                                                                                                                                                                                        • Instruction ID: a0a2b7d491ee5d27b9cbd3a8e0d6336dfc0d0d07b9f0856552e798a25389a196
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b53c9952eaf3c90a9205e81e92a4f336f3e27572c85d887bacab35e5ab1bf12b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E3E0C2312007044BC2147B59E008A5E7BDAFBC5764B48042EE54783B00DE71B8458BA4
                                                                                                                                                                                                                                        Function 06C53CD0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f92729e8693ac96183de8c597d98b4c0bc798e418bebbe1ebfcd78a9b0db3dea
                                                                                                                                                                                                                                        • Instruction ID: cd386f828723b1f316547d64ca950d511a591522a49aeb4178246134ec403fa9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f92729e8693ac96183de8c597d98b4c0bc798e418bebbe1ebfcd78a9b0db3dea
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C9D0A736300160130645299E781853E779FCBC5D6131D012EEB0EC3B40EF615D4553E9
                                                                                                                                                                                                                                        Function 06C53D0B Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 760b862633735a1856e4d3d8b9b36de0f41c97ff84a709600bc6832ef84ab7bc
                                                                                                                                                                                                                                        • Instruction ID: 0eef7125ece6c05dd290433e3fd7d0720714cb7a05497565bf65fa3a57d65a39
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 760b862633735a1856e4d3d8b9b36de0f41c97ff84a709600bc6832ef84ab7bc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0CE01270A11108FF8B54EFB4E90259DB7F9DB44204B1145A9D90AE7350EE316F4497A5
                                                                                                                                                                                                                                        Function 06C56AC0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 26e5370e61eee4e36ea29d5f1e80fab543e638f29b9fa259d7478b657ed4aaf4
                                                                                                                                                                                                                                        • Instruction ID: 9e10dc74d4ce282e9913edffc7da9e157e1800be58d3f8171497f2fb876035fa
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 26e5370e61eee4e36ea29d5f1e80fab543e638f29b9fa259d7478b657ed4aaf4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ACE0EC753142189FC314DF5DD980C91BBE9EF59254356809AE889CF722D772ED12CBA0
                                                                                                                                                                                                                                        Function 06C546D8 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f847ff48b40ed25f5c9550b0547674e6ca2da2ed8123f4c2c142cd069b2e37a7
                                                                                                                                                                                                                                        • Instruction ID: f37a143aa2a470ff2dc5cc38d62ca2edd6c8f30d4d2f30525b2e51b5577cadef
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f847ff48b40ed25f5c9550b0547674e6ca2da2ed8123f4c2c142cd069b2e37a7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 71E0B674E0520CAFCB44EFE8D94459DFBF5EB48300F0081BAE809E7354EA349A448F81
                                                                                                                                                                                                                                        Function 06C5BC85 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e202a0581142e97cafc48fcf8a6b6668c7c83629d36d05b6e74374d6b5f921fd
                                                                                                                                                                                                                                        • Instruction ID: 5a3be9decbc3017560ccba5c3567e2a41254d9aa7491685413034c3351af2279
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e202a0581142e97cafc48fcf8a6b6668c7c83629d36d05b6e74374d6b5f921fd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 67D0A772B102142B8B6499A59C00BDB7FEDCB455A0F01406AE409D7240EA71A9408298
                                                                                                                                                                                                                                        Function 06C568A3 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6e03093816785cf6f58722c5903f6504091e5d9a34aec6030362aecdffd603c7
                                                                                                                                                                                                                                        • Instruction ID: 97a20f32a3cb7b1f601e7d7863aac1fd43c334a0d3e8bdbd0de0434434695785
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6e03093816785cf6f58722c5903f6504091e5d9a34aec6030362aecdffd603c7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 59D05E712020109B83648A2CF804D83FFAAEFCE26031547B9F009C7204CA70D882C7E0
                                                                                                                                                                                                                                        Function 06C5A3A0 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8a4ced8c24cb692a1fbd6cebd62824a5017057455dd7711f11a0d40d015e02d6
                                                                                                                                                                                                                                        • Instruction ID: e4659e7036c6a72ccbc5b88c92a83e4a77e410762ba1ef63a5a04c1c892d8bd2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8a4ced8c24cb692a1fbd6cebd62824a5017057455dd7711f11a0d40d015e02d6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 06D05E39601215ABCA054A61EA01955BB2AAF85228B2880ACE8080F255EA23E883CBD5
                                                                                                                                                                                                                                        Function 06C52220 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5306634cef8a1ff214da6325e53d0272e8cca3922332886f18dcdf2b02bfb08a
                                                                                                                                                                                                                                        • Instruction ID: 41695ca76b7e36550d657dcb47635b3dd37c5835256b8addc8e0814342dc2925
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5306634cef8a1ff214da6325e53d0272e8cca3922332886f18dcdf2b02bfb08a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 14D022306D030C19F3C831A12C0E37A32C85B40720F57001CEE1C48AD1DCA925C0C19C
                                                                                                                                                                                                                                        Function 06C50C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b7357833c6acf1fe15888849a835ffc8686b064196391575717ca41ea14f16cc
                                                                                                                                                                                                                                        • Instruction ID: 70e19b465eb420b66e3a7db0b4518a35f9ef58efd585dee37d4d2bb86f235f58
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b7357833c6acf1fe15888849a835ffc8686b064196391575717ca41ea14f16cc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6ED0A7723140186F87447619DC9596ABB99E7863607514433FD02C7324DD606C81A3EA
                                                                                                                                                                                                                                        Function 06C521F5 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6d3413d078aa494e9d3f8bf89bd61c1ddb4a0ce92ce59d936cbfa1adfc247587
                                                                                                                                                                                                                                        • Instruction ID: dba9ad5e6cd34d6ae9eeb3905a655b6c212c9df818a94c37481fd67de1045ac2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6d3413d078aa494e9d3f8bf89bd61c1ddb4a0ce92ce59d936cbfa1adfc247587
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CCE0123041B3C59EC7564B34C828601FFA0AF4731575A45DEC9968F0E3C71E4546DB16
                                                                                                                                                                                                                                        Function 06C53D10 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0eed2c77245c792c034946bcc2c0595104c9a5ff85b4f9c586f7fbe8c9e84ea9
                                                                                                                                                                                                                                        • Instruction ID: c27eba34ab4fa62a990ac813611e3c9b324453978885f56d1ba91e5bf5608392
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0eed2c77245c792c034946bcc2c0595104c9a5ff85b4f9c586f7fbe8c9e84ea9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C4D05E70A0110CFFCB50EFB8EA0155DBBF9EB44204B1145A9DA09D3350EE316F049BA0
                                                                                                                                                                                                                                        Function 06C5E32A Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 502174bbc58ae91852d7a1046356f5186a48fb0a98654fb95176623303d0502e
                                                                                                                                                                                                                                        • Instruction ID: 34313d4deaa3176d4e433ed007e392432f6b717587ce77f91e20b96d2b8f5d0e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 502174bbc58ae91852d7a1046356f5186a48fb0a98654fb95176623303d0502e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D5E01231A1420BCBDB549FE1C964BAE7772BB08309F254419D901A7244DB74864ACF81
                                                                                                                                                                                                                                        Function 06C53943 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9dca563da2ff7683c398b56d52d28f89cd14a6c5841d9932ba78498f3d78e7f2
                                                                                                                                                                                                                                        • Instruction ID: 65f103ca0089947ebc95fbe7a5c20e02e4381ec525d7edda85fea526ce28dbf9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9dca563da2ff7683c398b56d52d28f89cd14a6c5841d9932ba78498f3d78e7f2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4BC08035F2232557CB5426B478083DABF9DDB86561F51446ADE5EDB301DE74CC4143C4
                                                                                                                                                                                                                                        Function 06C52968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 70ef21081726f101b2ba8cc21cc8d59041eac2f3d48e04745341bf43a20e5d8d
                                                                                                                                                                                                                                        • Instruction ID: 3eac2ab4f983f4b2b971c130bc4060ddad1f10a8bedfd72ecb2b5310de844931
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 70ef21081726f101b2ba8cc21cc8d59041eac2f3d48e04745341bf43a20e5d8d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 66D05E70905209DFCF04DFB5E94195DBFF9EB44204B208AA6D808D3220EA30AE04CB80
                                                                                                                                                                                                                                        Function 06C53C98 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b10304b30731f8474165597657b349b05bd973f37d031857d0b1f357050a305b
                                                                                                                                                                                                                                        • Instruction ID: dc84e5ef7e348f773e25427fc39ee11b6fa53439841c8a3883c1367eb40036ae
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b10304b30731f8474165597657b349b05bd973f37d031857d0b1f357050a305b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9BD01230715244CFDB88EB65E96553977A9DB8868430488ACAD0FC7342EF26F902C684
                                                                                                                                                                                                                                        Function 06C50440 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 44100a275e5449eda924011e9e0b8c5248805ea092506e1c0d6c1b51638a18f2
                                                                                                                                                                                                                                        • Instruction ID: fa90c70f0c8f0957728c2ee8b3a3087c939269fb326b7e2255f438f616e5f51a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 44100a275e5449eda924011e9e0b8c5248805ea092506e1c0d6c1b51638a18f2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4FD0123100E2909FC712C7209C55896BF71AE5230075942AAE080C6012D2290E69C3B2
                                                                                                                                                                                                                                        Function 06C53C93 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: dec5951c1945451ef1bbaf3fe00b9bf011093678c9155c6c12e77ce2ea134d10
                                                                                                                                                                                                                                        • Instruction ID: 014ab0b664e5947d33b428b06d735b6d1146325e672eb07936f13796cd33e37a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dec5951c1945451ef1bbaf3fe00b9bf011093678c9155c6c12e77ce2ea134d10
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CFC08C30B1BAD4DEEF48A771A8256B93B16E6981913050EACE90FC3A41FB16A1408644
                                                                                                                                                                                                                                        Function 06C546B0 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 1c384f4caf2bc9ee2b780d5fdc766f84d54bd137b1029188ac9700a7e065fe5d
                                                                                                                                                                                                                                        • Instruction ID: 8852bc75330cb5a187c575a93f3f2af58861646f397a09c9751e9f2e8b52842f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1c384f4caf2bc9ee2b780d5fdc766f84d54bd137b1029188ac9700a7e065fe5d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BEB0927094530CAF8620DB99990185ABBACDA0A310F0001D9F90887320D976E91056D1
                                                                                                                                                                                                                                        Function 06C5CAEB Relevance: .0, Instructions: 6COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 15aa3fe41233d390b1486184a77253fdc6209f001896a52315182b1b95887a5c
                                                                                                                                                                                                                                        • Instruction ID: 8b836db89a8f601946f5f816da2acccf4d1726da04335fbeac14f6576d5266cc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 15aa3fe41233d390b1486184a77253fdc6209f001896a52315182b1b95887a5c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 94A0241D30F15107CF04533017DC4DF7F0F45C430130400C470070C041C5D41714D551

                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                        Function 06C5F7E8 Relevance: 7.6, Strings: 6, Instructions: 115COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000004.00000003.1760676449.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_4_3_6c50000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq$,bq$,bq$Hbq$`]cq$`]cq
                                                                                                                                                                                                                                        • API String ID: 0-2072144370
                                                                                                                                                                                                                                        • Opcode ID: dc9dbc43ed3c92c7c2ca58134e762cdb256327d3922ab0e98196ac47ae859a53
                                                                                                                                                                                                                                        • Instruction ID: 717838e7e6a9756bec4721a238f68c8865d8472a0c07f2406547925c2790edb7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dc9dbc43ed3c92c7c2ca58134e762cdb256327d3922ab0e98196ac47ae859a53
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C431DB31B141288FD7989B6ED81446D37E5EB8B62132504AFD406DB3A1CE31DC85CBDE

                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                        Function 06CB50B8 Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: \VPm
                                                                                                                                                                                                                                        • API String ID: 0-1091993013
                                                                                                                                                                                                                                        • Opcode ID: b65eb438b23fddac939c2b47bb24f1f5a60316040c3f6072cb74e2da8507d9cc
                                                                                                                                                                                                                                        • Instruction ID: 7a89504c429bdc57bae08dee3bc651010830e4cf1662011027e0b5ad3f929bda
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b65eb438b23fddac939c2b47bb24f1f5a60316040c3f6072cb74e2da8507d9cc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 83B15B70E00219CFDF54CFA9C8857EDBBF2AF88304F589529D819AB294EB749945CF81
                                                                                                                                                                                                                                        Function 06CB59A8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 18c65ad6864ce9aaad5a14f041d5bf94e9490178008054293bd927c4032098d0
                                                                                                                                                                                                                                        • Instruction ID: c88488c7237ad70484a590ed36fc39447fb45c201ff3b2d3543f695ebcff51e4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 18c65ad6864ce9aaad5a14f041d5bf94e9490178008054293bd927c4032098d0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 50B17B70E002098FDF50CFA9C8817EDBBF2AF88314F649529D819EB294EB749945CF91
                                                                                                                                                                                                                                        Function 06CB1080 Relevance: 6.5, Strings: 5, Instructions: 212COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq$Xml.Serialization$t_Error$tion<Microsoft.Deployment.WindowsInstaller.FeatureInfo>.Contains$ttributes
                                                                                                                                                                                                                                        • API String ID: 0-3004198570
                                                                                                                                                                                                                                        • Opcode ID: ee83893ce4010b1a08a00372ec3fb7462caae84948c0f493c70f6c1c77471766
                                                                                                                                                                                                                                        • Instruction ID: 28cd423d0e579dadb51739c77415f46c371e1b95589e74d290581b83e2dde4cc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ee83893ce4010b1a08a00372ec3fb7462caae84948c0f493c70f6c1c77471766
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8F71A435F002149FDB45ABB5C8646AEB7E7EFC8210F188429E906EB3A4DE35DD42C791
                                                                                                                                                                                                                                        Function 06CB1630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: $^q$$^q
                                                                                                                                                                                                                                        • API String ID: 0-355816377
                                                                                                                                                                                                                                        • Opcode ID: 93cc676cb0963ed9b6c03ae8f12625d30d86f9e6397c69da1cd0f6a5f02b76c6
                                                                                                                                                                                                                                        • Instruction ID: bdde0e6b354570e788c46ef9db12b89110a027b0654c9b1d3fac9ead77906767
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 93cc676cb0963ed9b6c03ae8f12625d30d86f9e6397c69da1cd0f6a5f02b76c6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4B51E235B002099FC755DF79C8506EEBBFAEFC9250F18802AE815DB365DA309D42CBA1
                                                                                                                                                                                                                                        Function 06CB1079 Relevance: 2.6, Strings: 2, Instructions: 70COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: t_Error$ttributes
                                                                                                                                                                                                                                        • API String ID: 0-3862949415
                                                                                                                                                                                                                                        • Opcode ID: af68ffa83ad46df7080c054789dac5feb55ee1480334dfcdd65e9ec321cde596
                                                                                                                                                                                                                                        • Instruction ID: fcc1776804eb405bb2c413f4a23c066669276418a52955ed2163b302df3ff3d5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: af68ffa83ad46df7080c054789dac5feb55ee1480334dfcdd65e9ec321cde596
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0411EC32F102249BDF558A6599546EE7BEADBC8250F08903AD906D7344DE74CE0687D1
                                                                                                                                                                                                                                        Function 06CB0C1C Relevance: 2.6, Strings: 2, Instructions: 60COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq$Xml.Serialization
                                                                                                                                                                                                                                        • API String ID: 0-945816881
                                                                                                                                                                                                                                        • Opcode ID: b7e097d2b4202ff061a23311b38cb261573bd378f3495172021172e7ee73bb33
                                                                                                                                                                                                                                        • Instruction ID: 286e8bdb6c7cee13e2e0879d9e84512d44a61ef707a46f5bebecf49058a32e03
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b7e097d2b4202ff061a23311b38cb261573bd378f3495172021172e7ee73bb33
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 61110630B041549BEB84AB6998243BF7AE7ABC9300F29446ED502F7381CE329D0187E1
                                                                                                                                                                                                                                        Function 06CB50B3 Relevance: 1.6, Strings: 1, Instructions: 317COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: \VPm
                                                                                                                                                                                                                                        • API String ID: 0-1091993013
                                                                                                                                                                                                                                        • Opcode ID: f32855ccfe7b2676a6640666de33d8fce379b1dbd651657a2a3ae1b7ab7f23d6
                                                                                                                                                                                                                                        • Instruction ID: 903ea80b0c2947022d1b8929e454a65620264dc63f415f1097915436ab799086
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f32855ccfe7b2676a6640666de33d8fce379b1dbd651657a2a3ae1b7ab7f23d6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BDC15A70E00209CFDF90CFA9D8847DDBBF1AF48318F689529D815A7294EB749985CF91
                                                                                                                                                                                                                                        Function 06CB1961 Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: lReader
                                                                                                                                                                                                                                        • API String ID: 0-2871776326
                                                                                                                                                                                                                                        • Opcode ID: c586e3776f3da379d10267c7c08912232c43987a0c9e1a88ee91f6318202b2b6
                                                                                                                                                                                                                                        • Instruction ID: 3862f8e4b26f9b5855a4f7c59908cec54aef68f5a943e6430853b8a8a534c714
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c586e3776f3da379d10267c7c08912232c43987a0c9e1a88ee91f6318202b2b6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1C113336600125BFDB45DF68D459AE97BB6EF8C310F148419E80A97350DF796C46CBE0
                                                                                                                                                                                                                                        Function 06CB1440 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: lReader
                                                                                                                                                                                                                                        • API String ID: 0-2871776326
                                                                                                                                                                                                                                        • Opcode ID: bda0f08653f17aa03d68043897f06cd945e8b4e675c471c78cccf36c8c552a8a
                                                                                                                                                                                                                                        • Instruction ID: 18433057026cca6812c27ba5aed386b52fd36c3a8616a8b88c110743a9e1d4a1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bda0f08653f17aa03d68043897f06cd945e8b4e675c471c78cccf36c8c552a8a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6C01B531A193493FCB4A9E7859351A63FDDDAC26087091CAAD509CF551ED14CD06C7E2
                                                                                                                                                                                                                                        Function 06CB1968 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: lReader
                                                                                                                                                                                                                                        • API String ID: 0-2871776326
                                                                                                                                                                                                                                        • Opcode ID: dad16a17f1fbb9e8d0f2869914d7d6bcca8d9511c715f22f301a3a790fbb46d5
                                                                                                                                                                                                                                        • Instruction ID: a7899d8e8a44d559e49ed2ad49917bf9eecc30b0777e4fcb37a60a3137ba3822
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dad16a17f1fbb9e8d0f2869914d7d6bcca8d9511c715f22f301a3a790fbb46d5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 07113036600125BFDB45DF68D459AE97BB6EF8C310F148419E809A7350CF796C46CBA0
                                                                                                                                                                                                                                        Function 06CB1439 Relevance: 1.3, Strings: 1, Instructions: 34COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: lReader
                                                                                                                                                                                                                                        • API String ID: 0-2871776326
                                                                                                                                                                                                                                        • Opcode ID: 15b43dd01b11292a88fca57f350240fc8c467f4fc634af95c9225641a3095684
                                                                                                                                                                                                                                        • Instruction ID: 27fa5e08fe51a1753892b7195fd424b6013898c37bddd430780f964c19ad701b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 15b43dd01b11292a88fca57f350240fc8c467f4fc634af95c9225641a3095684
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 60F0F670A501093ECB0D9E7D543A19A3BCAEBC17087081C288509CF240FD24CD068AD2
                                                                                                                                                                                                                                        Function 06CB0C48 Relevance: 1.3, Strings: 1, Instructions: 18COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        • indowsInstaller.Errors.resources, xrefs: 06CB0C48
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: indowsInstaller.Errors.resources
                                                                                                                                                                                                                                        • API String ID: 0-3104302466
                                                                                                                                                                                                                                        • Opcode ID: 22d0d4dfc85ee0376054647251ebcfb58eae7d6eb085fdb27ff2407dfcf579bd
                                                                                                                                                                                                                                        • Instruction ID: 61574c66ed5880d7af4344fd76f1e0ae0f28acb2c45745c5e340aa32698bb81e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 22d0d4dfc85ee0376054647251ebcfb58eae7d6eb085fdb27ff2407dfcf579bd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 74D0A7313501205FD704575CE45097D7399DB8A718B4004AAF20AC7320CD51FC0107C9
                                                                                                                                                                                                                                        Function 06CB0C0C Relevance: 1.3, Strings: 1, Instructions: 17COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: tFiles
                                                                                                                                                                                                                                        • API String ID: 0-547845684
                                                                                                                                                                                                                                        • Opcode ID: 2a0a0caa5a4a69532d9bf2a6f4156f056febbbd9014aa31b17b6c17c91146318
                                                                                                                                                                                                                                        • Instruction ID: 3d8008f464d69d934103e4f35a21af4f7c1a7e0a367e22d701d3e94cb8bbc63e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2a0a0caa5a4a69532d9bf2a6f4156f056febbbd9014aa31b17b6c17c91146318
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 61D0A7323500186F56447619D8958AABB99E7852A07504437FD0283324CD61AC4087D5
                                                                                                                                                                                                                                        Function 06CB59A3 Relevance: .3, Instructions: 263COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d7d273579879a572c9ee201e722b2e13cc6c0eb149ddb37d0773c48bf1820649
                                                                                                                                                                                                                                        • Instruction ID: 42137a9ef27bdf6c1ebf5096e08e836426fc6b24245a1a78366b006cd38ed987
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d7d273579879a572c9ee201e722b2e13cc6c0eb149ddb37d0773c48bf1820649
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E8B16B70E00209CFDB50DFA9D8817EDBBF2EF48314F649129E819AB294EB749945CF91
                                                                                                                                                                                                                                        Function 06CB2268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 991b1cdc48ece52159b2ca0cb4a23298edc184db489feea9c80a6293b582b53e
                                                                                                                                                                                                                                        • Instruction ID: 364996cf7d4cc14810220b9c9e1388d4b4487d2452cf7fcf0e7669d9a0488a7c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 991b1cdc48ece52159b2ca0cb4a23298edc184db489feea9c80a6293b582b53e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9D41F739B101189FCB54DF69D8809DEBBB6FF88750B14816AE905EB361DB31ED42CB90
                                                                                                                                                                                                                                        Function 06CB2B18 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7b7649815e88f0b3c4f86b12c698569730c365464c11e7759934a354e532af21
                                                                                                                                                                                                                                        • Instruction ID: 37b56bcea94fc97fa7056da908b94a65e40be6f6a7b60d18b4dfad9321a3f2a1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7b7649815e88f0b3c4f86b12c698569730c365464c11e7759934a354e532af21
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 12119E35B001288F8B99BB7954205FE7AE2AFC4655B10057DD90AD7344EF389E029BE6
                                                                                                                                                                                                                                        Function 06CB2261 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2274c9f7cc5dc4a8a2cbebca29a6a43f1153f42c84314403f5cac7fae5366df5
                                                                                                                                                                                                                                        • Instruction ID: e7f8c7483b4ab6e88c35517d8ab67129d107c8789d20cfbd3e0638cdc88d066c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2274c9f7cc5dc4a8a2cbebca29a6a43f1153f42c84314403f5cac7fae5366df5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C511FC75F101189FCB94DF69D8849DEBBB6EF8C710F108129E915E7321DB31A941CBA1
                                                                                                                                                                                                                                        Function 06CB1378 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0ba776ba97ffc5f73082c495175c9d592f76b1e8b713e1900635bb8c70e2051d
                                                                                                                                                                                                                                        • Instruction ID: 317e75d4d22d309103bccb05076f38b961b62f0aa8e17bdc95b98dba73686028
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0ba776ba97ffc5f73082c495175c9d592f76b1e8b713e1900635bb8c70e2051d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B42102B0D002498EDB10DFAAC884AEEFBB0FF88324F10852ED459A7254C7756949CFA1
                                                                                                                                                                                                                                        Function 06CB1380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8571bce96f7919d0ab933afe6a9a7df4b3a8ec97e05fcbf1e195aa26ea0777af
                                                                                                                                                                                                                                        • Instruction ID: a58252067a5f7df37a343119bc73fab00ed16886d107593b5bd90888105efdde
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8571bce96f7919d0ab933afe6a9a7df4b3a8ec97e05fcbf1e195aa26ea0777af
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1E11F2B1D042498FDB10DFAAC884AEEFBF4FF88324F10842AD459A7250C7756945CFA5
                                                                                                                                                                                                                                        Function 06CB1829 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a2d60b422e970d94371e6f8474d9352ec3abca784634183c95a3b0bb8241a4c1
                                                                                                                                                                                                                                        • Instruction ID: 66092209401e33781c45cc53d2c460298df4e48b927afd204c5cfaccf4c3e528
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a2d60b422e970d94371e6f8474d9352ec3abca784634183c95a3b0bb8241a4c1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2201A271B0010567FB98AA69D8697FF7AEBABC8200F15502EE101F3784CEB65D0187F1
                                                                                                                                                                                                                                        Function 06CB2B0B Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ac4cd71062b6866656fd5ace483e222477066934c7bcf6ce5f574fcaaed7b309
                                                                                                                                                                                                                                        • Instruction ID: 62601754b5ef3e50a68e35a3cb53c85ccdfc8621499ae99f5175981360883ef9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ac4cd71062b6866656fd5ace483e222477066934c7bcf6ce5f574fcaaed7b309
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2801DE34B042148F8B95EB7854246BE7BE69FC8245B001169D81AD7344EF388B02CBE2
                                                                                                                                                                                                                                        Function 046DD005 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000002.1766483120.00000000046DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 046DD000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_46dd000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c5b09cb4176403ad1f136a925bd4e86f55f528f75f10318cbc22573a6190adc6
                                                                                                                                                                                                                                        • Instruction ID: dd8c6a704679dec16525a9446e61a6b59b0d3e162f5e62fcc6bbfd3530f3df92
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c5b09cb4176403ad1f136a925bd4e86f55f528f75f10318cbc22573a6190adc6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1F016D6140D3C09FD7128F259C94652BFA4DF93224F0985DBE8888F2A7D2695C45C771
                                                                                                                                                                                                                                        Function 046DD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000002.1766483120.00000000046DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 046DD000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_46dd000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d2ae4baa0b86fba33cd39fc51416eba5c7a9fe63f9576ddd54849a99b9c30835
                                                                                                                                                                                                                                        • Instruction ID: 04a62180fde6f97a22d62507fe87fde3b7d132a2844660e389f7e1a599d478a6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d2ae4baa0b86fba33cd39fc51416eba5c7a9fe63f9576ddd54849a99b9c30835
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FE012B70908300AAE7106E25DD84B67BF98DFD1324F08C52AEC080B246E279E846C6F1
                                                                                                                                                                                                                                        Function 06CB0E6C Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 34af11d083ecef45022c2a265421260cea9fd4688631d0e5837bd8a4161bf183
                                                                                                                                                                                                                                        • Instruction ID: cb3e2d8e38883a3bfb2270a11c45da2ce54813f424549526c9aeedf9278a9501
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 34af11d083ecef45022c2a265421260cea9fd4688631d0e5837bd8a4161bf183
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 74F02B34F493841FFB9552312C313B62FA69BC1210F08A46AE906CB7C2CC285C0443A1
                                                                                                                                                                                                                                        Function 06CB2A73 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 674d54555dda641755fcadd3c18d209fe0f9cfe0c2b99fc5a5eb64dc001eaa04
                                                                                                                                                                                                                                        • Instruction ID: ff10a46ded17c4202bbe256e70b0e871689e1a7ee4f7ac3de6087e2c34638931
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 674d54555dda641755fcadd3c18d209fe0f9cfe0c2b99fc5a5eb64dc001eaa04
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AD016D39A00211CFC745EF78D4156AE3BF2AB89715B10046AE90AD7360EB35ED42CF91
                                                                                                                                                                                                                                        Function 06CB2A78 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 807112106b126e6e6bf42de6282625c1f522eccda424a836a15ae5be4bae8b47
                                                                                                                                                                                                                                        • Instruction ID: 5e35bc416b02a0c120b3bd90f80bd63af81b79832a614fa6639b8c6fa1f3b8e0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 807112106b126e6e6bf42de6282625c1f522eccda424a836a15ae5be4bae8b47
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2D016D39A002158FC744EF78D4056AE3BF1AB89615F100069E90AD7360EB35A942CF91
                                                                                                                                                                                                                                        Function 06CB29A3 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3f8db10e64906e6086e563af3322bb033cb85d60a09c486605eca8bd42095d46
                                                                                                                                                                                                                                        • Instruction ID: 402f23e6a50dc9a86f720a0d28a6507b1a2a4de8181e166b6a51c86b33f18499
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3f8db10e64906e6086e563af3322bb033cb85d60a09c486605eca8bd42095d46
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D7F0BB347112404FDB146B70E905A9D3B66EB81215F04843DFD068B364EF75ED86DBD5
                                                                                                                                                                                                                                        Function 06CB29A8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d6d13e368c0b731affa6cdfa8c5288d3deb21c6a476383f741da56af8353146e
                                                                                                                                                                                                                                        • Instruction ID: a2573c9c29b4ecc5559915c8cf2cf86aa6c724dd97c2587085bf748062de42be
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d6d13e368c0b731affa6cdfa8c5288d3deb21c6a476383f741da56af8353146e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A8F0B4303012404FEB18AB74E90569A3BA6EB81214B04843DF9068B364EF75EC85DBE5
                                                                                                                                                                                                                                        Function 06CB2A2B Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a333c229cc23f62e863a6d6e60363c36f16291ff147517d0d1b6ca656f514a4b
                                                                                                                                                                                                                                        • Instruction ID: 8973ecf9c5c3f044998338a833197fc65259abb2a41e6e1ecede1710d75b65a1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a333c229cc23f62e863a6d6e60363c36f16291ff147517d0d1b6ca656f514a4b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C5E0C2313075A14F4B180AB164081FE3B58ADC1565301A06EE40BD2180CF1D8F438784
                                                                                                                                                                                                                                        Function 06CB2A30 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 15361ecc0e5baff1f0d9a811ae4faf10adafea20a8ba17b22e9bbc26550da213
                                                                                                                                                                                                                                        • Instruction ID: 0ad87c7d743846938a6c6d35e5272dd5ca811fc5e1ef10af2557b273cf33f072
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 15361ecc0e5baff1f0d9a811ae4faf10adafea20a8ba17b22e9bbc26550da213
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A9D05B313075658BDB1416B664153FE779CEB41661F41902DF41AD2280DF4DCF4347D5
                                                                                                                                                                                                                                        Function 06CB5EBB Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 53e0ff3935981962f02b12547dd9d66185b659b83fe594efa381356e5acc21b3
                                                                                                                                                                                                                                        • Instruction ID: 0df573ae12ea31d521c890ec0a37a63a80069e77c32ee3675a6e97e494841c0a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 53e0ff3935981962f02b12547dd9d66185b659b83fe594efa381356e5acc21b3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 30D022323002202FC704A66CF810DAA339CCB8D72DB1000A6F209CB360CD92EC4007E9
                                                                                                                                                                                                                                        Function 06CB2963 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f1b6b15b1c21dce19b90aa405a72a441330e6be41268142fede8258b3d9fb321
                                                                                                                                                                                                                                        • Instruction ID: 8064f500082cc9a68a0a9a8dc3b28d0bdb39d5c433c15d164e3cd94f8b954c59
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f1b6b15b1c21dce19b90aa405a72a441330e6be41268142fede8258b3d9fb321
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1AD012749051099FCB04DFB4E94556DBFB5EF8420872086BAEC54D7220DB305E05DB80
                                                                                                                                                                                                                                        Function 06CB2968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6a1278d338c17358cd9eb62272975622c9ec1799f24b0ee6d3d2e930599c5df8
                                                                                                                                                                                                                                        • Instruction ID: 3368fcfadd4779183bc3c09dc057b8df50d159e5c81de7b3e74e123615b94df8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6a1278d338c17358cd9eb62272975622c9ec1799f24b0ee6d3d2e930599c5df8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 96D05E74905209DFCB04DFB5E94195DBFF9EB44204B2086A6EC08D3220EB306E05CBC0
                                                                                                                                                                                                                                        Function 06CB0449 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 670a32aeff363999b8fc3cb2e13111311cd46e43d6248c3b67324994112ad279
                                                                                                                                                                                                                                        • Instruction ID: 14e26f4b0116163ad73246a3dc09bddbf31793ebbeb0bc098ac8ca74256f6239
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 670a32aeff363999b8fc3cb2e13111311cd46e43d6248c3b67324994112ad279
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ADB022B2A0AAA02AE20A800088800AA8382E2B220038C80A880000800AA0A08AB3E2E0

                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                        Function 06CB0E8C Relevance: 6.3, Strings: 5, Instructions: 68COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000005.00000003.1765930277.0000000006CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CB0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_5_3_6cb0000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq$Xml.Serialization$removeItems$t.Deployment.WindowsInstaller.TableInfo>.Contains$tables
                                                                                                                                                                                                                                        • API String ID: 0-621786808
                                                                                                                                                                                                                                        • Opcode ID: 8b51ccf3983544040f6c16b47c2d161f5d2a8ae6ce0fbfcaa5a277fbcb6d69ad
                                                                                                                                                                                                                                        • Instruction ID: 7a739f34b7593fefe9006cdc1f6bbfa78f6fa01041f5db22bc87264626117c35
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8b51ccf3983544040f6c16b47c2d161f5d2a8ae6ce0fbfcaa5a277fbcb6d69ad
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 72114832B0016527FB552A7A687477F27C7DBC1620F24943CE906EB380CD28DD0683E9

                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                        Function 00007FFD9B3FC922 Relevance: .5, Instructions: 463COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: aee89bbd2316f355fb7a3ae156dc52fec0aaaabcfb1dc036f9d4d1f5124055b5
                                                                                                                                                                                                                                        • Instruction ID: 568438e7e7149f8b2128f59ee4f8cc2dc035dd397b597adc4007820746b4c14c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aee89bbd2316f355fb7a3ae156dc52fec0aaaabcfb1dc036f9d4d1f5124055b5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 65E1D330B09A4E8FEBA8EF28C8657E97BD1FF54310F44426ED84DC72A5CE74A9458781
                                                                                                                                                                                                                                        Function 00007FFD9B3F172D Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b10e3119b2911578d1381941e819aa4367a8229267e79755aa8292f535a0110f
                                                                                                                                                                                                                                        • Instruction ID: 5a23ee732279114fb482a9d805f1cf9beac8a47cd9fe852e6b7173c535578dfa
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b10e3119b2911578d1381941e819aa4367a8229267e79755aa8292f535a0110f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 62315C71E1992D8FEBA9EF44C4A07E8B7A1FF58300F5141B9C41D93299CA346A85CF40
                                                                                                                                                                                                                                        Function 00007FFD9B3F1FAC Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0ca1e83b5aba0361e9c898cb2dc675ef8ccac7376d23b6a43616bb5c350b66a9
                                                                                                                                                                                                                                        • Instruction ID: 92e4a41d4bd9691a058b21beb2a53b26bd2f22c6990dce413d5ce5aa68b1fa7c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0ca1e83b5aba0361e9c898cb2dc675ef8ccac7376d23b6a43616bb5c350b66a9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1C014C31E5561D9BE7A5EF68D8A53F8BAA1EF05701F4140B9E01D922A2CE382FC4DF00
                                                                                                                                                                                                                                        Function 00007FFD9B3F596C Relevance: 1.6, Strings: 1, Instructions: 390COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: M_^
                                                                                                                                                                                                                                        • API String ID: 0-3807191693
                                                                                                                                                                                                                                        • Opcode ID: e875d5e94574142f26c2099d77c6ddaa98112cbb023350a91711aa4f0c30d14a
                                                                                                                                                                                                                                        • Instruction ID: 9189a9aa321f0ee62f962a515ecbe8966352722d09f46019c84e8914644c4699
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e875d5e94574142f26c2099d77c6ddaa98112cbb023350a91711aa4f0c30d14a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A2C1FD22B0F69A0FE366B77898651E87FA0EF52231B0603FFD089CB4E3ED1815458391
                                                                                                                                                                                                                                        Function 00007FFD9B3F798F Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: E
                                                                                                                                                                                                                                        • API String ID: 0-3568589458
                                                                                                                                                                                                                                        • Opcode ID: d74c39e7d2eb990e15f57192c87413b64c4f87e4035b1e250329b61d0d3cc5a6
                                                                                                                                                                                                                                        • Instruction ID: 4ec83b759a18bdca48ecae7626ac43759f8ee616afe43177984a442b8dce74f4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d74c39e7d2eb990e15f57192c87413b64c4f87e4035b1e250329b61d0d3cc5a6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7F213E70B4B64F5FE791E7F8C8155E97FD0EF41220F8002FAD049D7191E99828428711
                                                                                                                                                                                                                                        Function 00007FFD9B4E0853 Relevance: 1.0, Instructions: 953COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820801396.00007FFD9B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4E0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b4e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3414c83dfcb1d8dea9cd3744590a601d2dd877b46234313a5962fcd349911180
                                                                                                                                                                                                                                        • Instruction ID: d6d355236be0233fc816795a5fe6c04611159cac1977eda9bd3871aebccb8ab8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3414c83dfcb1d8dea9cd3744590a601d2dd877b46234313a5962fcd349911180
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4AF15930B0EA494FE7A9976C98666747BD1EF56720B0502FED09EC72F7DD18AC428381
                                                                                                                                                                                                                                        Function 00007FFD9B3F0E5B Relevance: .6, Instructions: 562COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6493998f99a5ec055d8177762269639e428e41872a50a0c4ef557d3770208ef5
                                                                                                                                                                                                                                        • Instruction ID: d757005b5fad089b453de5c021c5f6837377d7ae4a0fa4bc19f529687bcfa59b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6493998f99a5ec055d8177762269639e428e41872a50a0c4ef557d3770208ef5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 98225B70A09A1D8FEB99EF64C4A4BA9B7A2FF58304F5040FDC01ED7295DA35A981CF10
                                                                                                                                                                                                                                        Function 00007FFD9B3FB679 Relevance: .4, Instructions: 417COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c4bd72fab0198824eee8cede8c869135a7ab4d2a20fe226fad72c8270172f268
                                                                                                                                                                                                                                        • Instruction ID: 5783e487a3df4c7f0bfb7c8da9899aa9c08d9696d9aa1b2bc270a7ff6fdb1d4d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c4bd72fab0198824eee8cede8c869135a7ab4d2a20fe226fad72c8270172f268
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F8D1D870A18A8D8FEF68EF28C855BE97BD1FF54300F04426EE84DC7291DB74A9458B81
                                                                                                                                                                                                                                        Function 00007FFD9B3F6772 Relevance: .4, Instructions: 371COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b4b50338c77523480ff8c8674bfc91c67d353cfa1c6b034bc0891145b376ed49
                                                                                                                                                                                                                                        • Instruction ID: 69719639d855edaacff8a236d93e9719188ac4365c5b184cc63964d769537967
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b4b50338c77523480ff8c8674bfc91c67d353cfa1c6b034bc0891145b376ed49
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E9C1F971B0E6CE4FF765EB688865AA53FE0EF12310B4981FDD059CB1E3DA18A909C740
                                                                                                                                                                                                                                        Function 00007FFD9B4E0001 Relevance: .4, Instructions: 352COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820801396.00007FFD9B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4E0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b4e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c320a77e886068e71d7622f4203da7a417a208d0e97806b0a1a03684d9b0d0fb
                                                                                                                                                                                                                                        • Instruction ID: 328f437e3bf71b79a9a1ec3427ac83060eb050dc8ef71538ace687f0cb8b9fa0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c320a77e886068e71d7622f4203da7a417a208d0e97806b0a1a03684d9b0d0fb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2DA1F771B0EB8D4FE766DB6C98669347BE1EF56710B0A01FBD499C72A3D918AC028341
                                                                                                                                                                                                                                        Function 00007FFD9B3FD7BE Relevance: .3, Instructions: 322COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5d9ecae83d5b2adb1e363bb9fed332546c6eed8f51f5965ba72ac9e587f74588
                                                                                                                                                                                                                                        • Instruction ID: a78cb1a9c22dec823ad2b2a4d3846d9a3b5bfe960785cb149d7fdfebf44504f7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5d9ecae83d5b2adb1e363bb9fed332546c6eed8f51f5965ba72ac9e587f74588
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 70B1D874A0895D8FDF94EF68C894BA8BBF1FF69301F0141AAD00DE7261DA34AD81CB41
                                                                                                                                                                                                                                        Function 00007FFD9B3F3368 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ceb1523d805e508715fe3f3843b873c63068381e803563a3d067e77b3e9b694e
                                                                                                                                                                                                                                        • Instruction ID: 7317476df8ce01baf28c3898f2662cdaa19181f46d75900cc382542ab4b2cc2b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ceb1523d805e508715fe3f3843b873c63068381e803563a3d067e77b3e9b694e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B8B1A130A0E65D9FEBA5EBA8C4557A8BBB0FF55310F1141BEC00DD72A1DA795D81CB01
                                                                                                                                                                                                                                        Function 00007FFD9B3F7A96 Relevance: .3, Instructions: 265COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 074bca4b622aa35186fea019ab49543a0fdb41c9bff450a34511dcbcbb5c67b5
                                                                                                                                                                                                                                        • Instruction ID: 28bddb367a771ef62fb53b1e8153492b6ed20fa4592975162566ffc53d85d9de
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 074bca4b622aa35186fea019ab49543a0fdb41c9bff450a34511dcbcbb5c67b5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ED91B470A0E68E9FE792EBB4C8256E9BFF0EF16320F0501EED049D71A2DA6C5845C751
                                                                                                                                                                                                                                        Function 00007FFD9B3F1AC8 Relevance: .3, Instructions: 255COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3cedccbb960a6428618e67b3f3c214810d4a334227cc5e9536a79b098a2b9d7a
                                                                                                                                                                                                                                        • Instruction ID: 3d9dd9f53b11dc01ee4833189c38b61a430bdd95316247c753b011d6a2794fa7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3cedccbb960a6428618e67b3f3c214810d4a334227cc5e9536a79b098a2b9d7a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 32919F71E0A66E8FE7A5DBB4C8557E8BBF0EF15310F0540BDD049A72A1DA781E86CB40
                                                                                                                                                                                                                                        Function 00007FFD9B3F946C Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 20681abf0c3684aa720335ed73e6186555f157a95d6c818224090fcedba76b5d
                                                                                                                                                                                                                                        • Instruction ID: 410ad8a0d1a73b6eb88caafb3de8e30f9c40c5f0e55638e6df3c0212b7580f42
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 20681abf0c3684aa720335ed73e6186555f157a95d6c818224090fcedba76b5d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4D518631E18A1C8FDB69DB58D855BE9BBF1FF59310F0082AAD04DD3252DE34A9858F81
                                                                                                                                                                                                                                        Function 00007FFD9B3FE641 Relevance: .2, Instructions: 190COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ed7353fb8d204e6880ee33cf07fbf20260d06b323276fc9258d5354fb0b9fbb8
                                                                                                                                                                                                                                        • Instruction ID: 57c6a960afe3aa9c7c33aa52280e8997f0195ea03b9500535c0c49c80067c978
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ed7353fb8d204e6880ee33cf07fbf20260d06b323276fc9258d5354fb0b9fbb8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0B513D34A0955D8FDF98EFA8C4A5AEDBBB1FF59300F11046DD00AE72A1DA34A945CB50
                                                                                                                                                                                                                                        Function 00007FFD9B3F82F8 Relevance: .2, Instructions: 151COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 428c9cb0921b2c21c168f34542a22fab45cf4cf72fc18ce8d685bbf8083b924b
                                                                                                                                                                                                                                        • Instruction ID: 98797b8c7bd2abf9b7a45847c6c53c1981d71852a21f60148cf487cb4b726154
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 428c9cb0921b2c21c168f34542a22fab45cf4cf72fc18ce8d685bbf8083b924b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3B516D70A0AA5D9FDB99EBA8C4597E9BBF0FF19311F4101A9D04DE72A1DB385981CB00
                                                                                                                                                                                                                                        Function 00007FFD9B4E04DE Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820801396.00007FFD9B4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4E0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b4e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b606c9195e9b5bb299ed353c44c1914d3c1d8e0241661ec18c0df67783f1ddfb
                                                                                                                                                                                                                                        • Instruction ID: aa725545e38a64e139b4196a50edaa7bcce84f0201cda483fcfb617bb2bec8da
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b606c9195e9b5bb299ed353c44c1914d3c1d8e0241661ec18c0df67783f1ddfb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1C411862B0EB894FE792D77C48A65617BE1EF6661430A01FBD099C72B7D918AC42C341
                                                                                                                                                                                                                                        Function 00007FFD9B3F8582 Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c1baf6b079b846e73e08fc55cf2cf2f8987e3ef16b96df2984221860ca8e2c68
                                                                                                                                                                                                                                        • Instruction ID: 43715bd480779c7748608417802c0c2e60c27bfe485d258eb8f7e34571dcb9ff
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c1baf6b079b846e73e08fc55cf2cf2f8987e3ef16b96df2984221860ca8e2c68
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 71514270E1951DCFEBA8EB58C498BECBBB1EB58305F5041AAD00DE3291DB759A84CF40
                                                                                                                                                                                                                                        Function 00007FFD9B3F8520 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d0df63e8d6cbc2f94890a691b0805b5a82ee8a9072b406ba23fff298367740a8
                                                                                                                                                                                                                                        • Instruction ID: b7ac13d5f3e155fa427d46caf5295bf2a6a738520292aa4e4f4aaca85ed103ec
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d0df63e8d6cbc2f94890a691b0805b5a82ee8a9072b406ba23fff298367740a8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7851B770E0951DCFDBA9EBA8C459BECBBB1EF19305F5041A9D00DE72A1DA749A84CF40
                                                                                                                                                                                                                                        Function 00007FFD9B3F63FB Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d38e3a88a13ac3393b4efa1113a3800532e35dea6c402558b7a09a8c64299601
                                                                                                                                                                                                                                        • Instruction ID: 1839ee0a07ebcd4e9608fe236fcb51fa0f244e9e6db56ab626379707bdf50fe7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d38e3a88a13ac3393b4efa1113a3800532e35dea6c402558b7a09a8c64299601
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FE41F961B0EACE5FEB92FF6898615E93FA0FF56310B0642BED458C71E2DA245D06C740
                                                                                                                                                                                                                                        Function 00007FFD9B3F1980 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e841bc29206cd3ca335e6098989477483afdab59a355f75553fc012efb85e2d7
                                                                                                                                                                                                                                        • Instruction ID: 1cbfeeef4eec431e5197509d6a70d8c8bd81879692b66aaaaa79423b5b9d290a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e841bc29206cd3ca335e6098989477483afdab59a355f75553fc012efb85e2d7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 52315E70E0A65E8FE769EFA4D0657F9BAB0AF06300F0014BDD00A672E5CA785A84CF04
                                                                                                                                                                                                                                        Function 00007FFD9B3F4EFA Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6d93a6c219eb7c794da3b163b66b2be9c614d6c1a83fe3248c4389bce2f7d2e7
                                                                                                                                                                                                                                        • Instruction ID: 3c554cc5ffe2da16085891406c7abbaac817d2972daebb3c78732f8509e25a09
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6d93a6c219eb7c794da3b163b66b2be9c614d6c1a83fe3248c4389bce2f7d2e7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F621D122B0EB9D0FEB15EB68A8614EA7FA0FF45320B0503BBE458C71A3CD6499458351
                                                                                                                                                                                                                                        Function 00007FFD9B3FD0EC Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 342a092423cd03bc15c980684737ac97844a5cbc078c7dd08994fc1345b9e09f
                                                                                                                                                                                                                                        • Instruction ID: 06d23a11c84875e8da19f2819423e9eec4bb803118254017973369db45902902
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 342a092423cd03bc15c980684737ac97844a5cbc078c7dd08994fc1345b9e09f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E221B571A0F7CA5FE7A3A6B488295D87FF0EF02220F4901FED0859B1A3DA5D1946C751
                                                                                                                                                                                                                                        Function 00007FFD9B3F7DC1 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 409c23cb8f3c76f7c5243fb28747b28083cc1da8e89f74842d636b870c2d1433
                                                                                                                                                                                                                                        • Instruction ID: e9ff8ea22433a44551584122c28e2e12d651ad92ef43167751d022c65457e8a6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 409c23cb8f3c76f7c5243fb28747b28083cc1da8e89f74842d636b870c2d1433
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 28217F70E19A5D9FEB91EBA8C8556EDBBF1FF58314F00007AD008E7265EB3458458741
                                                                                                                                                                                                                                        Function 00007FFD9B3FE6D9 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: cea1d9f571e9acbb5ea7df4826ac60e13763f45075ced7f623c147d9e8b9c772
                                                                                                                                                                                                                                        • Instruction ID: 2434a8a83361c7aca15a6121b450c382ec516d340bb18407aa59e6893c5b86c7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cea1d9f571e9acbb5ea7df4826ac60e13763f45075ced7f623c147d9e8b9c772
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 45215E34A0965D8FDB58EF94D820AFEBBB1FF49300F01016EE009D72A2CB346954CB50
                                                                                                                                                                                                                                        Function 00007FFD9B3FD20F Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b95b9e1f7f3f36ed3ad37ef52d0e0ba45c2bb9fe2f0bd11d0924a81a66796a51
                                                                                                                                                                                                                                        • Instruction ID: 4473bc9a6fe37603ce96242c2601a5866e9595807d8e9e3be3b5cb8810971c40
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b95b9e1f7f3f36ed3ad37ef52d0e0ba45c2bb9fe2f0bd11d0924a81a66796a51
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6F21F870E0950DEFEB94EBA4D465AECBBB1FF59301F5100B9D009D72A5CB38A981CB40
                                                                                                                                                                                                                                        Function 00007FFD9B3F1DD1 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 394e6baea3095cd8f3ba62549e1d932ab01b78fab8f467363ad70ad178703e93
                                                                                                                                                                                                                                        • Instruction ID: bee59838b9127e04dd9b031bf97f41dab705506dcb8c7d9c16a11e60dd54d8df
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 394e6baea3095cd8f3ba62549e1d932ab01b78fab8f467363ad70ad178703e93
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F1314EB0E0A62D9FEBA1EF7888557D9BBF0AF14310F4141E9D04CD71A2DA785E85CB40
                                                                                                                                                                                                                                        Function 00007FFD9B3F483D Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: eb2ff382fbd65fadb1e8be5c097904a4295869dc7ff8132920a824c830c74100
                                                                                                                                                                                                                                        • Instruction ID: b9e091819486be7bd2a8305cf0f669e8df6e58f85d35f4442681a12b694812e8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eb2ff382fbd65fadb1e8be5c097904a4295869dc7ff8132920a824c830c74100
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6511E922B0A6DD4BF720FF6998B15F93F60FF41204F0506BAD45C870E3ED2965558341
                                                                                                                                                                                                                                        Function 00007FFD9B3F79CF Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 303f1797536d603effa45f550ae46fe885f2702a0c63b9ce33e38292671cc2c1
                                                                                                                                                                                                                                        • Instruction ID: cb78298157e2b2b4210d16796d3867eef77ceb4ee217e7a9c110ccceac860ec5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 303f1797536d603effa45f550ae46fe885f2702a0c63b9ce33e38292671cc2c1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4601F971B4A50E6FE791EBE8D8155FDBBD4EF81221B4101BAD009E7161EA541C428351
                                                                                                                                                                                                                                        Function 00007FFD9B3F3B7D Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 83dc58e888918ffe2d347c64b669f4c1d77f9d11c01b94ecbff83367b3614963
                                                                                                                                                                                                                                        • Instruction ID: 2b4ea48f2231b2113e4c5ba9887926a9cf486e80d70446011ea0c00ebd5050bd
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 83dc58e888918ffe2d347c64b669f4c1d77f9d11c01b94ecbff83367b3614963
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8A112531E0D64E8FD750EBA4C4256EEBBB0EF01310F0102BAE009E71D2DF7825448B40
                                                                                                                                                                                                                                        Function 00007FFD9B3F84C0 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 491ae1373979c56fd7520ea7a6d5fafdd90b8bc255938305b415de4a36500fb8
                                                                                                                                                                                                                                        • Instruction ID: 286da50be5e00239bd719325b468a2cf69c1693e50e45a33dcb7c5da20be0137
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 491ae1373979c56fd7520ea7a6d5fafdd90b8bc255938305b415de4a36500fb8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0411A234E0991CCFDFA8EB98D494BECBBB0EF19301F5111A9D00DE3251DA39AA80CB00
                                                                                                                                                                                                                                        Function 00007FFD9B3F8388 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 093606d42bff2c821cd3b11897ba57277899f7f5a45670c140e1cca09018fe55
                                                                                                                                                                                                                                        • Instruction ID: 56cc64e0529da57148537be08584a8f77fd529bf1ccb0ff2447ebe0ab4e0c708
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 093606d42bff2c821cd3b11897ba57277899f7f5a45670c140e1cca09018fe55
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3C119234E0991DCEEFA8EBA8C450BACBBB1FF59301F5151ADD00DE2291DB395A84CB00
                                                                                                                                                                                                                                        Function 00007FFD9B3F1EA1 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f0bebcfeda8bfee169ece8eaac60896a0adde4bc3339c462be02ec5d833249a7
                                                                                                                                                                                                                                        • Instruction ID: 86118c6e978d08ff34544ebf1d1ec09d76ecddeab53e519a3b47008ccd5d352d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f0bebcfeda8bfee169ece8eaac60896a0adde4bc3339c462be02ec5d833249a7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2B114C70E09A2D8FEBB5EA58C8553E9BBF1EB64300F0141F9D04C97265DA786EC58B80
                                                                                                                                                                                                                                        Function 00007FFD9B3F0C89 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: cae6bec3e34132a0c58ccb2bbcad18374e0b57a912f4a677ca0e847bc0cf3561
                                                                                                                                                                                                                                        • Instruction ID: cbadfc7cd70c5c9d1a3d967f5470af813862d441bda5e3433a0b8db13ca2f202
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cae6bec3e34132a0c58ccb2bbcad18374e0b57a912f4a677ca0e847bc0cf3561
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CF01493160FA4A5FE369EA74C4212EA7BD0EF40311F0100BFC01AEB2E0EE781D448B41
                                                                                                                                                                                                                                        Function 00007FFD9B3F1E7E Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a80341ca600f7d9b6ef516c37dc8769151d19ec8c0152bc0a89e01f4f7b3fcff
                                                                                                                                                                                                                                        • Instruction ID: d8cbd26bc1c6bef3d8e4fa6b5e1b2aa61d6bcf0608aa7e3d4aaf048dd93b38a3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a80341ca600f7d9b6ef516c37dc8769151d19ec8c0152bc0a89e01f4f7b3fcff
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 380152B0A0AA1D5FEBB1EBB88855695BBF4EF18310F0541E9D40CD3161DA386F828B40
                                                                                                                                                                                                                                        Function 00007FFD9B3F1EB6 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a9a142dd6ab33c1b470322138a5b3b5b016cee1f25107b5b57c60ffa8e1aab89
                                                                                                                                                                                                                                        • Instruction ID: ff8e81e48d730a7f1026525dd6af3026d32768f88e7f94ee78849b5ff90e48f6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a9a142dd6ab33c1b470322138a5b3b5b016cee1f25107b5b57c60ffa8e1aab89
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 391166B0E0962D9FEBA1EF6888557D9BBF4AB19300F4141E5904DE3251DA786FC58F40
                                                                                                                                                                                                                                        Function 00007FFD9B3F0C1D Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5042a3ba752d66347a74d0faa4c9b561760f3ebd6dcd8fefa362a7b86f44e62e
                                                                                                                                                                                                                                        • Instruction ID: 16f372a084bfc9743546f8e049a7456bb9ef4fb98a388b644da011b442983719
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5042a3ba752d66347a74d0faa4c9b561760f3ebd6dcd8fefa362a7b86f44e62e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2101F57060F6879FD71AEB74C4267997BA0AF01311F0104FEC115AB6E7DA385844C741
                                                                                                                                                                                                                                        Function 00007FFD9B3F1895 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 29f781e5d7e4c0a6162bcb623b1ba4fb3ff974a7b4845328f78435ccb246d072
                                                                                                                                                                                                                                        • Instruction ID: fd6f31fb1f497dbbec956b8289cf4e35dcfeb015367e6b15cd62e9c2b6c30616
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 29f781e5d7e4c0a6162bcb623b1ba4fb3ff974a7b4845328f78435ccb246d072
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EB010C30A0A61D8FE769EFA4C4657A9B6B1BF45300F0104FDD00EA76A2CB796A84CF04
                                                                                                                                                                                                                                        Function 00007FFD9B3F1BA7 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 16670a02f17234ecedff2371fd478ef7a7ca30e96c455c34345d90efb151e2d8
                                                                                                                                                                                                                                        • Instruction ID: 0294e708a0c10f3ed3ef61185e9c7104dede427c4ad6e5fbd6b4d3bc5820f7f3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 16670a02f17234ecedff2371fd478ef7a7ca30e96c455c34345d90efb151e2d8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6A01C87490552D8FDBA9EF28C895BD87BF1EF69301F0001E9A00DE72A5CAB49A85CF40
                                                                                                                                                                                                                                        Function 00007FFD9B3F1CC7 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 53a22d6c157e149a180fcf8804a0f26d961f5bc91b57219efcef1433f3b81ec3
                                                                                                                                                                                                                                        • Instruction ID: 6675ae8c98a9a95b192650f0ad542a6aa29f46a6db1c56c3826eb109cd5027f3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 53a22d6c157e149a180fcf8804a0f26d961f5bc91b57219efcef1433f3b81ec3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 00F0A430D1A65A5FD761AB7884126B87BF0AF05711F4000FCD045931A3D93C6E458B51
                                                                                                                                                                                                                                        Function 00007FFD9B3F32C5 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 49ae9b08d8abb8f32b8ffc6ada24385da5428e072cc7bee8b7e23a0c49e7a947
                                                                                                                                                                                                                                        • Instruction ID: 776bb5cf04b40d52d6f6493f65df12c7aeb5141a12d7db7e6b4bda597b98d70e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 49ae9b08d8abb8f32b8ffc6ada24385da5428e072cc7bee8b7e23a0c49e7a947
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 99F05E70E0950D9FDB50EBA4C4553EDBBF0EF45315F0141BAC018A31A1D63C1A84CB90
                                                                                                                                                                                                                                        Function 00007FFD9B3FD135 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 464e72827055b3db2dd74af3a2deeaefc40306a24f0600ff5c085b1d9006c779
                                                                                                                                                                                                                                        • Instruction ID: 7878555176bb72c6616cf73b7aa21e25c904462b4ed589159edcd47bf01fcaea
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 464e72827055b3db2dd74af3a2deeaefc40306a24f0600ff5c085b1d9006c779
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BBF03070A0990DAFEF95FBA8D46599CBFF1EF58310B11057DD009E32A1CA38A841C750
                                                                                                                                                                                                                                        Function 00007FFD9B3F1C27 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a0cf66e114161cc5a52e52b6d78f32e0e197eb30e64313768cdbc5f1bfe5117e
                                                                                                                                                                                                                                        • Instruction ID: 9c7758e7b65f6aadfd798e561fe1708818d3d6a8db3d5fb98c172e697aa579b3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a0cf66e114161cc5a52e52b6d78f32e0e197eb30e64313768cdbc5f1bfe5117e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6FF08C7090A26D9FE7A5DB70C8903ECBBF0AF01310F0180A8D00C672A1CA781EC8CB00
                                                                                                                                                                                                                                        Function 00007FFD9B3F1C77 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: fab51ae94b7f4876d62cc8c07d3ca30fcf580e0bfb51239f63f1e4a27d212551
                                                                                                                                                                                                                                        • Instruction ID: e01ba7320cb75922a137c445a37ce1e2099ee498f6bdf0291c18b105461d22ad
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fab51ae94b7f4876d62cc8c07d3ca30fcf580e0bfb51239f63f1e4a27d212551
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 34F08C30D0A2299FE765DF71C8117ECBBF0AF01300F4180A8D008672E1CA782E85CF00
                                                                                                                                                                                                                                        Function 00007FFD9B3F4A0B Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0893a0b66299a4c2d22d6b33457be24c959fe2c1a194446340c8208aee626c31
                                                                                                                                                                                                                                        • Instruction ID: d766485f9f806f313458109e603d9a872aa5b15a41b79937d9202ff7598fe739
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0893a0b66299a4c2d22d6b33457be24c959fe2c1a194446340c8208aee626c31
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 34E06D3070A64D8FF7A5EAB4C8662A97BE1FF46200F96087CD05DC72A2CD295845C700
                                                                                                                                                                                                                                        Function 00007FFD9B3F1E23 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 35b30e0561785bd6e1c88f400fa4042b6db1ca06335b5c3945c029e8fcae1a0f
                                                                                                                                                                                                                                        • Instruction ID: e9f5542592cfe7607a4686a08c182b66df8b4f36723275cb3f5cea8c149072db
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 35b30e0561785bd6e1c88f400fa4042b6db1ca06335b5c3945c029e8fcae1a0f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 54F0FE30E1A62D8EEB75EF54C8657E9B6B1AF24301F8540F9D08C561E6CBB81AC4CB41
                                                                                                                                                                                                                                        Function 00007FFD9B3F4AD5 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 62ad2c0f76a578ebb1a35d03e8973a04781e33bb2af4f8f796ea58587943a843
                                                                                                                                                                                                                                        • Instruction ID: 2072689e1c286bc0ca6b3e64da04787c5b637e26c1a24f071b73033691012d20
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 62ad2c0f76a578ebb1a35d03e8973a04781e33bb2af4f8f796ea58587943a843
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C7E0EC31B0A54D8EEB61FBE9A8611EDBFA1FF87211B9208BED058C61A2CD251A15C740
                                                                                                                                                                                                                                        Function 00007FFD9B3F192D Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a965b9ee06569a70cfee7deaea90576309ca016c21c98ffd2f59e7b593462bc6
                                                                                                                                                                                                                                        • Instruction ID: c84484b48c87f8e2a1a2ac181483b661d4358f3ad9f132aa11211de2a30bed14
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a965b9ee06569a70cfee7deaea90576309ca016c21c98ffd2f59e7b593462bc6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A1E01A70A0A65A9FD7AAEB64C4157947AA1EF48310F4000FDD00DD72A5DA395E818B04
                                                                                                                                                                                                                                        Function 00007FFD9B3F4A52 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5143e1eec4400a9dcf67eb9ac88671a6b0d4f70ae67595fbbae44e25e72ef590
                                                                                                                                                                                                                                        • Instruction ID: b85df3f666750f9bd43859397451450877ef885945af541a549e683fb53a3c73
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5143e1eec4400a9dcf67eb9ac88671a6b0d4f70ae67595fbbae44e25e72ef590
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D8E0BF3470660D8FE794EF64C4A56A9B7A2FF45300F92447CD41DC7292CE369941C700
                                                                                                                                                                                                                                        Function 00007FFD9B3F1DF2 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 1930271c811487223455d53ff050af5a0f028ab94c3008e8ec2eb972c0f610fd
                                                                                                                                                                                                                                        • Instruction ID: 9fa8ae656deaf68d9178af8ae3607208d27cb50dbae5838fc43080eaa32fc42e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1930271c811487223455d53ff050af5a0f028ab94c3008e8ec2eb972c0f610fd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 86E08CB0A0A25A6FE7429BB8C8906EABFF06F02314F5901A8D440671A2D7BC2C42C710
                                                                                                                                                                                                                                        Function 00007FFD9B3F1F6A Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 81fcddb3b2d2e83e2d4ea3b41de9f606c0d4af5201ec3986ecb28662a0e200cc
                                                                                                                                                                                                                                        • Instruction ID: 2451a0f400180074706b51d54610c561cb8486508a12d3c8591523427ab5af8c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 81fcddb3b2d2e83e2d4ea3b41de9f606c0d4af5201ec3986ecb28662a0e200cc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ABD012B164B65A7FD352ABB48856499BFF06F06210B4640E8E045AB162D27DAD428750
                                                                                                                                                                                                                                        Function 00007FFD9B3F1F8D Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 36e0613a0e97fb0d3e5927bddfadd2a78e9837958d86e43216a845376386bb0b
                                                                                                                                                                                                                                        • Instruction ID: 03fc0eba8aad3ce043245871fbe942ce7eb4842a890a6d37988039307012adf3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 36e0613a0e97fb0d3e5927bddfadd2a78e9837958d86e43216a845376386bb0b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 02D0127014B18A3FD38267B4C4516957FE04F02260F4E04D8E544970A3E1AD2C468311
                                                                                                                                                                                                                                        Function 00007FFD9B3F6E93 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.1820380218.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                                                                                                                                        • Instruction ID: 1ecb319211f78f26fb6c244aaa3560049cdc9c02f8c89ec00ba5cc2e9241914d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4AA00242BCF46F01E45470DD78624D8B644C785171BD66576ED0C8415A989E1ED64285

                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                        Function 00007FFD9B3FCFB8 Relevance: 2.0, Strings: 1, Instructions: 751COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: H
                                                                                                                                                                                                                                        • API String ID: 0-2852464175
                                                                                                                                                                                                                                        • Opcode ID: 947f3d36e402be641f32cf7d66a5f6609b0035d39dd4446809738c8eb7a86409
                                                                                                                                                                                                                                        • Instruction ID: 1c981f2b14ea21bc264a93ae6fe75bb9ba08b9908344565dfb24d8f401d8b269
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 947f3d36e402be641f32cf7d66a5f6609b0035d39dd4446809738c8eb7a86409
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7B320930B1DB894FD365DB68C4A16B6BBE1FF96304F0541BED4CAC71E2DA28A846C741
                                                                                                                                                                                                                                        Function 00007FFD9B601662 Relevance: .9, Instructions: 941COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6550a310f28aaff2474ac3a9c344a883ca0c3c325083362207954b7a6b42d06a
                                                                                                                                                                                                                                        • Instruction ID: 81b9b8042bec28a66b4ac90ab0346ec8eb30594deb447eb47ad33f9c0274a69e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6550a310f28aaff2474ac3a9c344a883ca0c3c325083362207954b7a6b42d06a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B352F630B1DA494FEBA4EB6DC468B7577D2EF9A300F0541B9E09DCB2A2DE24BD418741
                                                                                                                                                                                                                                        Function 00007FFD9B401CF0 Relevance: .6, Instructions: 575COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9e08b49ffc681790c9b5f88f0bf0c65e18ec7623facd3c07146404ac04d9c15e
                                                                                                                                                                                                                                        • Instruction ID: 1c54a62d14791c2d08b38e53842c1970e359c60e697361d3735db84c45deb891
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e08b49ffc681790c9b5f88f0bf0c65e18ec7623facd3c07146404ac04d9c15e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9D12D630A1DB894FD769DB68C0A167ABBE1FF99304F04457DE4CA83192DA34F942D782
                                                                                                                                                                                                                                        Function 00007FFD9B3F4E6B Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 979eb8c2a766623c8785648744448480f9651a2f5856e24897d034228c27f9b2
                                                                                                                                                                                                                                        • Instruction ID: 8c21a668e755e299badb89b9a98c233162126db066755c1659c18f0620cc86d5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 979eb8c2a766623c8785648744448480f9651a2f5856e24897d034228c27f9b2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6641A170E1A64D4FE765EFB888682FDBFE1EF46200F4505BDD049972E2CA386945CB40
                                                                                                                                                                                                                                        Function 00007FFD9B60BEA1 Relevance: 3.2, Strings: 2, Instructions: 733COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: _$9_H
                                                                                                                                                                                                                                        • API String ID: 0-651548031
                                                                                                                                                                                                                                        • Opcode ID: 2f5ee20ff2dab977b0ae6f7013d8eafebec5e877951006620c027b66dbdbc849
                                                                                                                                                                                                                                        • Instruction ID: b446e1204e06424e23e60c31efaf203b57f85eaedf7d3c8112242bd22641441e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2f5ee20ff2dab977b0ae6f7013d8eafebec5e877951006620c027b66dbdbc849
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 35226921B1EA8E0FE7A99B6E446557977E1FF96300B0501FED0A9CB1E7ED18B9028340
                                                                                                                                                                                                                                        Function 00007FFD9B6050FA Relevance: 2.2, Strings: 1, Instructions: 1000COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: M:_H
                                                                                                                                                                                                                                        • API String ID: 0-618837891
                                                                                                                                                                                                                                        • Opcode ID: 42c3cc854912c6ba8c357b7a9fbd0cbe2a9ab9f299e53989d15d5a23a78a2df1
                                                                                                                                                                                                                                        • Instruction ID: a0f6e18da690e4fe2b7b5b4212e7d718a84adb632bf19ec4cc2be619dc21cdaa
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 42c3cc854912c6ba8c357b7a9fbd0cbe2a9ab9f299e53989d15d5a23a78a2df1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 52620731A2DA8D8FE7A4DF6A84A5A76B7E1FF59300F0504BDD099C72A2DE24F841C741
                                                                                                                                                                                                                                        Function 00007FFD9B3FDE20 Relevance: 1.8, Strings: 1, Instructions: 545COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: H
                                                                                                                                                                                                                                        • API String ID: 0-2852464175
                                                                                                                                                                                                                                        • Opcode ID: 55e801461ad15526411b2907fae59a00aaeaa653e600fa5fb8a18aef220fd5a7
                                                                                                                                                                                                                                        • Instruction ID: a05c88c2acb12007a23961cbc8d71ca265c37ef8dc7ac7f0caec2f1e382200cf
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 55e801461ad15526411b2907fae59a00aaeaa653e600fa5fb8a18aef220fd5a7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A4E14C31B1DA8D0FF758EB6C88695797BE1EF99310B0546BEE08DC71A7DE24A8028741
                                                                                                                                                                                                                                        Function 00007FFD9B3FA01D Relevance: 1.6, Strings: 1, Instructions: 386COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 'S_L
                                                                                                                                                                                                                                        • API String ID: 0-806523986
                                                                                                                                                                                                                                        • Opcode ID: eb0bedd2967420ea5b9a1665fae4f694f90c6d5d0464ea1a731717fd2ad58b0c
                                                                                                                                                                                                                                        • Instruction ID: 75b9819f8b7059a9cbd53c7cb078402ec220cf45f8a7ca10c8200ea7751aea1e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eb0bedd2967420ea5b9a1665fae4f694f90c6d5d0464ea1a731717fd2ad58b0c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0BA13921B1D94D0FE7A4EB7C9869AB97BD1FF9831074502BFE44DC32A6DD24AC068381
                                                                                                                                                                                                                                        Function 00007FFD9B4007D5 Relevance: 1.6, Strings: 1, Instructions: 350COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: d
                                                                                                                                                                                                                                        • API String ID: 0-2564639436
                                                                                                                                                                                                                                        • Opcode ID: e9ff4b00fe5b5611f0996647ba89a63ada5d86eaf816fd75b73a7d2c1363c22f
                                                                                                                                                                                                                                        • Instruction ID: 74df2c165467ccd2cccfc30acd0b05d7dba6ba05a7a55cc8bd3181a598e6af5b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e9ff4b00fe5b5611f0996647ba89a63ada5d86eaf816fd75b73a7d2c1363c22f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C4B11F30B1DB4D8FE768DB48D4A1975B3E1FF98704B144A7DD08A832A6CA35F9438B81
                                                                                                                                                                                                                                        Function 00007FFD9B60C135 Relevance: 1.5, Strings: 1, Instructions: 246COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 9_H
                                                                                                                                                                                                                                        • API String ID: 0-1170298704
                                                                                                                                                                                                                                        • Opcode ID: 964dd7841058b76da878c8aa296a6ca2f76c5558ba113df10852f305170773c2
                                                                                                                                                                                                                                        • Instruction ID: 9fb595693c5282d467a8f97d32d9fdab04e233dcdd2c33ec98c96b8317b31bec
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 964dd7841058b76da878c8aa296a6ca2f76c5558ba113df10852f305170773c2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7C613562B2EE0F4BEBBC9B9E506157963D2FF95340B4101B9E0B9CB1E6ED24FD014280
                                                                                                                                                                                                                                        Function 00007FFD9B3FD0A8 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: ^M_^
                                                                                                                                                                                                                                        • API String ID: 0-3273950326
                                                                                                                                                                                                                                        • Opcode ID: edb2e6c9c4768e9c89cc84feb059d196a8c716111a288e1e62d670a1161247f9
                                                                                                                                                                                                                                        • Instruction ID: e159245eaabe53d394d3eeea282ff8b9f39ec59c6549c43f2cc5785228b1e022
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: edb2e6c9c4768e9c89cc84feb059d196a8c716111a288e1e62d670a1161247f9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 44519322B1D7964FD306B778A4651E93FB1EF4623570942FBC089CF0E7E9582886C395
                                                                                                                                                                                                                                        Function 00007FFD9B3F813C Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: X
                                                                                                                                                                                                                                        • API String ID: 0-3081909835
                                                                                                                                                                                                                                        • Opcode ID: db2f51e3a30406000514be0aea2f7462872d290eb114a50939edb2454208bb86
                                                                                                                                                                                                                                        • Instruction ID: 07c7ff2e227b6be5a7509d33ecbfdaf93deacf4d39cf6508c881d785cc9801b2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: db2f51e3a30406000514be0aea2f7462872d290eb114a50939edb2454208bb86
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 37611271E1965D9FEB68DBA8C8547FDBBB0EF05310F5001AED049A32E2DB342645CB41
                                                                                                                                                                                                                                        Function 00007FFD9B3FE150 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: H
                                                                                                                                                                                                                                        • API String ID: 0-2852464175
                                                                                                                                                                                                                                        • Opcode ID: 12ba637650149eef2a845263b27337c4701f8db91a53170e3b5cc37efa6ef7f5
                                                                                                                                                                                                                                        • Instruction ID: 6c907dfec21ec32ce5c950368df7b2580dd31eac54fae79e03a8fca0a7e0c5cb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 12ba637650149eef2a845263b27337c4701f8db91a53170e3b5cc37efa6ef7f5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 42413531B199494FF398FB7C84696B97BD2EF9D210B0546BED05EC32E7DE2868028741
                                                                                                                                                                                                                                        Function 00007FFD9B6148CF Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 8A_H
                                                                                                                                                                                                                                        • API String ID: 0-547840156
                                                                                                                                                                                                                                        • Opcode ID: 499f526c8adf2c75c5fd84819af6e4750f473d7574d09b1bb4afcf963dc0f316
                                                                                                                                                                                                                                        • Instruction ID: 5405dd503ce69dbaac9659b9d20b87270973d5e60cf9677b6d49aa2d8e64139e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 499f526c8adf2c75c5fd84819af6e4750f473d7574d09b1bb4afcf963dc0f316
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 42412C12B0EA8F4FEBA5DE6C44A063837D0EF56380B1605BED05ECB1A6ED19FD418B41
                                                                                                                                                                                                                                        Function 00007FFD9B3F9EF1 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: :
                                                                                                                                                                                                                                        • API String ID: 0-336475711
                                                                                                                                                                                                                                        • Opcode ID: fee468451413344dfe7678701349d574eb7fd0b250c2dd35142e67217deccb6d
                                                                                                                                                                                                                                        • Instruction ID: 1a5ac3a55dc2eb62fd86124343ce8ddd1529b821bdb9b810aea34ed9cdb8c378
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fee468451413344dfe7678701349d574eb7fd0b250c2dd35142e67217deccb6d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E3414812B0E5990AE755B7BC68645F93F91DF8626574902F7D48CCB0E7EC0898C18391
                                                                                                                                                                                                                                        Function 00007FFD9B3F2F45 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: _O_H
                                                                                                                                                                                                                                        • API String ID: 0-2361950764
                                                                                                                                                                                                                                        • Opcode ID: 5dcbae02414c420885c2b26412829326b329d0574368d5dc5cfea9bae1b03931
                                                                                                                                                                                                                                        • Instruction ID: d95ae9eab28267d77079b4e87da309606043dd5eb89ddce5bef57d976e23e610
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5dcbae02414c420885c2b26412829326b329d0574368d5dc5cfea9bae1b03931
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F5510770A19A1D8FDFA4EFA8C855AEDBBF1FF59304F11016AD40DE3291DA34A941DB40
                                                                                                                                                                                                                                        Function 00007FFD9B6149DD Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 8A_H
                                                                                                                                                                                                                                        • API String ID: 0-547840156
                                                                                                                                                                                                                                        • Opcode ID: 350b9f62f82df0dff00d9d60d5adbed43c1ccb9b6820b9a4a10a0a0b858e561d
                                                                                                                                                                                                                                        • Instruction ID: 620d9df05c31febea30841c4789b20fa1efea63b1173de6546bd0614c373d534
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 350b9f62f82df0dff00d9d60d5adbed43c1ccb9b6820b9a4a10a0a0b858e561d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CED0A703B4F90E0BE464919C3C9107863C2E3DA5A0B9216BBD51AC735DDC076E4303C0
                                                                                                                                                                                                                                        Function 00007FFD9B6066BC Relevance: 1.0, Instructions: 974COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 81e1987f5f44b210468466472330336ac6f962536b999ec4211a19506d8f52b9
                                                                                                                                                                                                                                        • Instruction ID: fb281be67936e680e6d524bc732c97b9f3fb6cfaf304e53b2103dc6032a33d80
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 81e1987f5f44b210468466472330336ac6f962536b999ec4211a19506d8f52b9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FF623770B1DA4E4FEBA8DB698465A797BE2FF95304F5000BDD09DCB1A2DE24BD428740
                                                                                                                                                                                                                                        Function 00007FFD9B60A6AD Relevance: .8, Instructions: 764COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 57d1513abd18c7de5b4df2af4815f296698ab9eff982277284ac7f4182b03ac0
                                                                                                                                                                                                                                        • Instruction ID: 2a43c433ce23396500030096d9425540685779b6af77dbb1886afa7dedebb3bc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 57d1513abd18c7de5b4df2af4815f296698ab9eff982277284ac7f4182b03ac0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3F320520B2D98D4FE7A4EB7944756B97BD1EF5A340F1405B9D09ECB2E7DE28B9028301
                                                                                                                                                                                                                                        Function 00007FFD9B3FCFC5 Relevance: .7, Instructions: 695COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: afa885dfde0ddd9d63f38987f2788b2bf4dd93750f28f412d0ca91403b4a864c
                                                                                                                                                                                                                                        • Instruction ID: 4b25d5c94e130b249ac86cbc32ff35958f0a2a802d8f2f44fb09029fc7cc306d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: afa885dfde0ddd9d63f38987f2788b2bf4dd93750f28f412d0ca91403b4a864c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CB220330B2D78D4FD769DB6CC4A563A77E1EF85308F15457DE4CAC72A2DA28E8028742
                                                                                                                                                                                                                                        Function 00007FFD9B60FD14 Relevance: .6, Instructions: 601COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 1f6c88d9ffa3e4e9dcbb143d762ed835a11dd03727f6a634b180de4d55b8d367
                                                                                                                                                                                                                                        • Instruction ID: a3b584492a84dbc1f7dae6b729f328b41aca1ff96b3ba412b4254ecb9c84356f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1f6c88d9ffa3e4e9dcbb143d762ed835a11dd03727f6a634b180de4d55b8d367
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4012FA71B2DE8E4FDB99EF6884A59B9B7E1FF54300B0445B9C05AC71E6DE24B802C740
                                                                                                                                                                                                                                        Function 00007FFD9B3F6EA9 Relevance: .6, Instructions: 578COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 4c2259d739d7f66392d9191807a6e5c4e18e68544a46612059f0c3356193a9b5
                                                                                                                                                                                                                                        • Instruction ID: 4ab3a358cf59da21ca329ff3ad46fe3d5692c5cc309a4e176f041f783ee8cb3b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4c2259d739d7f66392d9191807a6e5c4e18e68544a46612059f0c3356193a9b5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E6F11913B0F6AA4AE325B7ACA8655E97FA1EF51334B0943FBD09CCB0D7DC0464868295
                                                                                                                                                                                                                                        Function 00007FFD9B402C15 Relevance: .5, Instructions: 521COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a256ba9e2e3cbc5454e04909aabbe45de42d15fabdecaa854b6c99d9bdd683c6
                                                                                                                                                                                                                                        • Instruction ID: 61f8ac4b8decb6538515941209164582b9dc31e0b1dc412774f9641dee19963c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a256ba9e2e3cbc5454e04909aabbe45de42d15fabdecaa854b6c99d9bdd683c6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 39D17A22B0DD1D0FE7A4E76CE8696B937C1EF98324B0501BBE88DC71A6DD189D434381
                                                                                                                                                                                                                                        Function 00007FFD9B608280 Relevance: .5, Instructions: 490COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e8ecedbbb1033f2a0df91f1da8a0bf45da2ec3275c4989ee67a330a7a902dd5f
                                                                                                                                                                                                                                        • Instruction ID: b507968cffe01a77a73d429ceebb0f7b4396d679dc8f77b29ba2e5e03725b667
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e8ecedbbb1033f2a0df91f1da8a0bf45da2ec3275c4989ee67a330a7a902dd5f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1DF11531B1E94D4FEBA5DB6984747A977D2EF9A300F0500B9D09DCB2A6DE28BD01C741
                                                                                                                                                                                                                                        Function 00007FFD9B612D6A Relevance: .5, Instructions: 465COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9e5988bc44c5b7d191242a2d79d1097846d2f553453e454df13d379216305e0a
                                                                                                                                                                                                                                        • Instruction ID: b35033024c56371a06b8730323766f785c27a9b2b6319c4affde1546fbaaefa9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e5988bc44c5b7d191242a2d79d1097846d2f553453e454df13d379216305e0a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 04E1CA71B0DA4D4FDBA5DF6CC4A4A793BE1FF59310B4600BAE059CB2A6DE28AC41C741
                                                                                                                                                                                                                                        Function 00007FFD9B6112D5 Relevance: .5, Instructions: 455COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2770c7b3115b06a65c118dc6a986df0543270bced569854ca2f7f81109611721
                                                                                                                                                                                                                                        • Instruction ID: daf07dd6a1d11efb72c070096343c60124c4db747789cadb867247542fabb5f5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2770c7b3115b06a65c118dc6a986df0543270bced569854ca2f7f81109611721
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 08E18A31A09A4D8FDFD4EF1CC4A4AA937E2FFA8744F150169E45DD72A5CA30E842CB80
                                                                                                                                                                                                                                        Function 00007FFD9B3FD9E9 Relevance: .4, Instructions: 441COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3df5b9934d6c649eb25d5d3a1f627743ba23bb561e1d126993c4782a1ea2befe
                                                                                                                                                                                                                                        • Instruction ID: b08ee01f6b89ce3a5b1e1271054c2a0236cf04d024ea67aa0f0099373b589005
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3df5b9934d6c649eb25d5d3a1f627743ba23bb561e1d126993c4782a1ea2befe
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0BD1573170DB4D4FEB64EB58D455AA1BBE1EFA5310F01027ED04DC72A2DE25E846C782
                                                                                                                                                                                                                                        Function 00007FFD9B6154C6 Relevance: .4, Instructions: 408COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ebd220a745f1baa9e0ac3627387dd799e74feefa9594a31fe172eec55bc4802f
                                                                                                                                                                                                                                        • Instruction ID: 56e8293ec854200af2c1f9b749833f7d5b1396f8a311dc167f12ab5f7860aca7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ebd220a745f1baa9e0ac3627387dd799e74feefa9594a31fe172eec55bc4802f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C4C10630A1D94E4FE798EB789469AB977E1EF55300F1405BDD46DCB1EBCE29B8028341
                                                                                                                                                                                                                                        Function 00007FFD9B3FAAF8 Relevance: .4, Instructions: 405COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6378392e2884dfb30bf88256f1b5c2d69d037a80fad4e2ce1e078e4323bede20
                                                                                                                                                                                                                                        • Instruction ID: 03fd0acdeb4f9b158a1ac5e4e01a0b67a576a68b82f58ff4e551bd17d6b44692
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6378392e2884dfb30bf88256f1b5c2d69d037a80fad4e2ce1e078e4323bede20
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 47C1D361B1EA4E4FFBA9EB6C84687747FD1EF55200B0A41BED44DC72A3EE18AD058340
                                                                                                                                                                                                                                        Function 00007FFD9B3FA7FA Relevance: .4, Instructions: 391COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0717d56309dc6aff8ca7b8ab521856fa14fc883628981c9294b51da5b3bdef1a
                                                                                                                                                                                                                                        • Instruction ID: 5224b779c750ff3a36f6b08a7c7fd372ba629494f97fbc5897586501fc623537
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0717d56309dc6aff8ca7b8ab521856fa14fc883628981c9294b51da5b3bdef1a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 45B10752B1FADE0BF722B6EC68200F87FB1EF5267071943FFC098861E79C49694A4251
                                                                                                                                                                                                                                        Function 00007FFD9B3FD2FB Relevance: .4, Instructions: 391COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 16e26935ff3c8c40eb766800bbe54de660c55d5be7194b25e759714cce894603
                                                                                                                                                                                                                                        • Instruction ID: 78f409da1e140912d6cc15f269590383a38391425e3d6f931f49b51ea9a3fff2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 16e26935ff3c8c40eb766800bbe54de660c55d5be7194b25e759714cce894603
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F5B19C11B1E65B0AE33896A854E51F837D2FF51319F29427EC4DBC20E7ED28A5A75340
                                                                                                                                                                                                                                        Function 00007FFD9B6003BD Relevance: .4, Instructions: 380COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 41d9e6ed661f44d49f644873e1e69c9f1b11a339ba1e4c6b20e986f4f6a09a48
                                                                                                                                                                                                                                        • Instruction ID: 507fbc153e03f2822eff34511ebdfe073c429b3827bbeb3906e8a26cacc32070
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 41d9e6ed661f44d49f644873e1e69c9f1b11a339ba1e4c6b20e986f4f6a09a48
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A3B14B31B1EA8E4FE7A99B6E44751B57BD2EF9A700B0500BAD09DC72E3DD18BD428341
                                                                                                                                                                                                                                        Function 00007FFD9B3FB64F Relevance: .4, Instructions: 373COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: fe6f6884fd4fd39ad77a9b836c7f16e606f72ae4889daca04bd070616de9a591
                                                                                                                                                                                                                                        • Instruction ID: e150a1e313906f5fc17547aedb25d045736e642ba7d177b7a2599a10c5107cf6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fe6f6884fd4fd39ad77a9b836c7f16e606f72ae4889daca04bd070616de9a591
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FAB13A22B0E6594FE719FBACA8B25F97BE1EF4532470502BBD09EC71E3ED1864468344
                                                                                                                                                                                                                                        Function 00007FFD9B608B27 Relevance: .4, Instructions: 351COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6bd7307ee3b7927e2d6996d106d292f2b139e1ca86eda0493fe308281bd733c5
                                                                                                                                                                                                                                        • Instruction ID: 772f23de5b4e8bb8290e4d21c83e7218e8136c9541421bd1127e2766e7c0ca7a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6bd7307ee3b7927e2d6996d106d292f2b139e1ca86eda0493fe308281bd733c5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D0A16B61B1FA8E0FEBA1D76A58642B57BD1EF56350B0901FAD0DCCB1E2ED297906C340
                                                                                                                                                                                                                                        Function 00007FFD9B3F86DA Relevance: .4, Instructions: 350COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6d3c86bda7b6abed3945d3ad3ccf1f32ce7e1aebb79be162fb64f90e6b43835f
                                                                                                                                                                                                                                        • Instruction ID: 64ff0203c99803f9a3d7c180911ecec8389fe57ad6f99407d908f3ed52203733
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6d3c86bda7b6abed3945d3ad3ccf1f32ce7e1aebb79be162fb64f90e6b43835f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7DB1E831F0A65D8FEBA8EB6489657E97FE1EF46310F0402FED04DD71A2CA282946C751
                                                                                                                                                                                                                                        Function 00007FFD9B3FB8E8 Relevance: .3, Instructions: 340COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2cec39fbcd56e2faf75a87fc567fa24d92c483dbaba6318af631dbd91f7225e5
                                                                                                                                                                                                                                        • Instruction ID: d6cdb80ddcd29c2fb51b5c76f47a1fe8f114daa7eb09fa3ac943f07ee242bf4e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2cec39fbcd56e2faf75a87fc567fa24d92c483dbaba6318af631dbd91f7225e5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 58A12730B0DA4D0FEBA4EBA89460AB577E1FF59314F0542BED04DC72E7DA19A846C341
                                                                                                                                                                                                                                        Function 00007FFD9B3FCCC0 Relevance: .3, Instructions: 333COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 22fa7e0e883365d13e54843a361831877dd8a1da5c125347cc479591abce7b0b
                                                                                                                                                                                                                                        • Instruction ID: 7f96e89867666c52ec8bcd6ab16504aa3401c29b5c4fe22b0d79d1cac918b53a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 22fa7e0e883365d13e54843a361831877dd8a1da5c125347cc479591abce7b0b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 92B18471F19A4D4BEBA8EB9894697ECBBE1FFA4310F4002BAD05DC32D6DE2479418741
                                                                                                                                                                                                                                        Function 00007FFD9B401836 Relevance: .3, Instructions: 328COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9f3a81eeacd813b795af274a708b13ca67fc945cb64fc8300241441a9a6e823a
                                                                                                                                                                                                                                        • Instruction ID: a814fb12170f64f817b87e7d6101a1aae37f04ac9ebf835be6179bd2c6bc08c2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9f3a81eeacd813b795af274a708b13ca67fc945cb64fc8300241441a9a6e823a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 08B1B271E09A4D8FEB59DBA4D8B5AB8B7A1EF59304F0500BDE09DC72E6DE256801DB00
                                                                                                                                                                                                                                        Function 00007FFD9B3FDE79 Relevance: .3, Instructions: 328COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f404fdf7d29cf73cfb381f4664c91b38025e84adcad92859f6f35f2af46b475c
                                                                                                                                                                                                                                        • Instruction ID: cd7850c44104f44de8bb79fc5fba758791c4f95fbfc00561ff077a7f482c0454
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f404fdf7d29cf73cfb381f4664c91b38025e84adcad92859f6f35f2af46b475c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B2914B61B1DA8D0FF758EB6C98699757BD1EFA931070402BEE08DC71A7DE14EC428341
                                                                                                                                                                                                                                        Function 00007FFD9B609DD3 Relevance: .3, Instructions: 324COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ab20a23e7f9348daf26d319bdecb815238cce3750cac6f203bcaa9202d898b90
                                                                                                                                                                                                                                        • Instruction ID: 831d7dc46be54e7d3f403843cdc667bc5b682e2080c7a5aa7334a7304f33664f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ab20a23e7f9348daf26d319bdecb815238cce3750cac6f203bcaa9202d898b90
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4EA17B72A1AA4E4FDB29A7BE94795F57BE1EF42314B0801BAD0ED8B1E3DD14B9418340
                                                                                                                                                                                                                                        Function 00007FFD9B606200 Relevance: .3, Instructions: 318COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 26b69e8a7fbd2c0063b070707680577af166f134e64f1d974ca2a09fcc029a51
                                                                                                                                                                                                                                        • Instruction ID: fa9cec716ebc99bd94f4ee4146f8727cce589b9a2ff7d7786485218d507951de
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 26b69e8a7fbd2c0063b070707680577af166f134e64f1d974ca2a09fcc029a51
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AA918A71B1EA4E0FEB6C9BAA94696B977D2EF91340B0401BDD09DCB1E6DD29BD018340
                                                                                                                                                                                                                                        Function 00007FFD9B60EBDD Relevance: .3, Instructions: 315COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 89245fcfbc618020eb11f7c48d866fe6c10881456795297a6622b0aaa04c0781
                                                                                                                                                                                                                                        • Instruction ID: 2736b21e70cd8912232b9db5e098005ef8295d0329b7a9eb08a4418def74eec4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 89245fcfbc618020eb11f7c48d866fe6c10881456795297a6622b0aaa04c0781
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 01A13731F0E69B0FE32A976688651B47BD1EF93300F1941BED4EACA1E6DD2879468341
                                                                                                                                                                                                                                        Function 00007FFD9B611796 Relevance: .3, Instructions: 314COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: eea41283a37077178e7824de7360ebe816a3ff3777a50d5ecd7a6179687ddb72
                                                                                                                                                                                                                                        • Instruction ID: ec6b9eca77cde8116ff2d3d0f326cb50d7098fe9a07e37f9d0d464594edcd5f6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eea41283a37077178e7824de7360ebe816a3ff3777a50d5ecd7a6179687ddb72
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FB91693170EB8C0FE7A59B6894656B57BD1EF89310F0505BED48DCB2A2CD29BD02C382
                                                                                                                                                                                                                                        Function 00007FFD9B405770 Relevance: .3, Instructions: 313COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: eea96d5a16a3768a33741942807e46ca41a91123f8410495838090972d58585f
                                                                                                                                                                                                                                        • Instruction ID: b58619e6df9a7cb31b9c69ab14d93dff516b2b5009720d5a3339cd8ad8ea0787
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eea96d5a16a3768a33741942807e46ca41a91123f8410495838090972d58585f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 96712453B0FD5E4FFBB5999CA4B827423C1EFA86A5B220077D8CDC32A5ED189D065280
                                                                                                                                                                                                                                        Function 00007FFD9B3F6FF2 Relevance: .3, Instructions: 306COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d3c0efd7b1c9e5ae7e1327636a2743c325219afdc00fed56b9f1ddeda4e69db0
                                                                                                                                                                                                                                        • Instruction ID: f121098da0645e35a8923af19b4a03fda8857516af0cde112f32d50653a64073
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d3c0efd7b1c9e5ae7e1327636a2743c325219afdc00fed56b9f1ddeda4e69db0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BE713713B1A56946E71477BCB866AF97FA1EF85335B0843B7E09DCB087CC0414C682D5
                                                                                                                                                                                                                                        Function 00007FFD9B602C85 Relevance: .3, Instructions: 306COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2da2b9a6c6cf1e4993c1dd0593fabe258d49d531830e24b42d7c1911a8498c4e
                                                                                                                                                                                                                                        • Instruction ID: b45692b5a70c7c97dec5c2702f34a29ab210465484030830656f1b00595a2594
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2da2b9a6c6cf1e4993c1dd0593fabe258d49d531830e24b42d7c1911a8498c4e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BC91A431B099594FDBA4FBADD464AE83BE1FF59310B4541B6D09ECB2A7CE28EC418740
                                                                                                                                                                                                                                        Function 00007FFD9B3FA6C0 Relevance: .3, Instructions: 302COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 72b46e179fb1abd1aaeb44995e48a59a64df3cfdd1ee6ee4bd411a6da3568c88
                                                                                                                                                                                                                                        • Instruction ID: e211adb8a856940b342b56fc2ba3e998ce6e6260776fd6dfd57b9a058bea0310
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 72b46e179fb1abd1aaeb44995e48a59a64df3cfdd1ee6ee4bd411a6da3568c88
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 68713962B1EA4E0FE768E65C94655B87BD2EF9935070502BFD05DC32E7FD18A8034341
                                                                                                                                                                                                                                        Function 00007FFD9B603545 Relevance: .3, Instructions: 298COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 63b7be5d0a450a694b33b838e42d4dd4f5beaebc377c167ce0da8642546a2ff5
                                                                                                                                                                                                                                        • Instruction ID: 91c4b6ad60940e3ec30c0f451ef7c4d710cc23da565c86acb471777270ecfe13
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 63b7be5d0a450a694b33b838e42d4dd4f5beaebc377c167ce0da8642546a2ff5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9B81D33071E9494FE7B9EB6E98656753BD0EF4A31171600FED09ACB2B2D914EC428381
                                                                                                                                                                                                                                        Function 00007FFD9B3FD469 Relevance: .3, Instructions: 297COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ca0be6c59b296cf9aec9fed08c52cc7cc57ee1dec66d05265f906bb927654efd
                                                                                                                                                                                                                                        • Instruction ID: 4080131b574858c3981a747af9433142001c0efd727f4af40af9019233816fe0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ca0be6c59b296cf9aec9fed08c52cc7cc57ee1dec66d05265f906bb927654efd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 86A1AA71F19A4D4FEB68EB9898657ECBBA1FFA8310F4402BAD01CD32D6DE2479418741
                                                                                                                                                                                                                                        Function 00007FFD9B3F73E1 Relevance: .3, Instructions: 294COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 08a49bea0191d7e346125924b82072132bb2b14f539fe8bc1ade2ee8a464be93
                                                                                                                                                                                                                                        • Instruction ID: 189bacb4c7ddfd368a64ae711db1229403fa868ecf3e8e3ad52190d5909d3030
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 08a49bea0191d7e346125924b82072132bb2b14f539fe8bc1ade2ee8a464be93
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C9B1FB70E0955D8FEB94EBA8C864BADBBB1FF59300F5541A9D00DE72A1CB346985CB40
                                                                                                                                                                                                                                        Function 00007FFD9B3F7DB9 Relevance: .3, Instructions: 285COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9cccca6b43a2c9061225f89bded67575100cfa9faeec80fc581ae82946054224
                                                                                                                                                                                                                                        • Instruction ID: b51ab1d6f3652cd554e15634ef11ed5badb49add1c55fdf95b0ff143f17bf2af
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9cccca6b43a2c9061225f89bded67575100cfa9faeec80fc581ae82946054224
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3891C771F1AA4E8FFBA4EF68C8659ADBBA1FF54300F41067EE059D3196DE2469018740
                                                                                                                                                                                                                                        Function 00007FFD9B3FA015 Relevance: .3, Instructions: 283COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d30713e883705cff24f39ed08d40ec1e1f7362e4342b6b72d0a8b4ecaf599d5a
                                                                                                                                                                                                                                        • Instruction ID: b3f7549ec4dab71c0dc368f27b7c425ad7cf676324610481ab1c080b008fcf08
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d30713e883705cff24f39ed08d40ec1e1f7362e4342b6b72d0a8b4ecaf599d5a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C7818B71A1DE8D0FE764AB28C439776B7D1FFA4350F04067AD0CAC71A2DE28B9429342
                                                                                                                                                                                                                                        Function 00007FFD9B3F4610 Relevance: .3, Instructions: 270COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 808ebe6a4c42923e7d5e813fb5308ebe9c5d6056a42cfb518ac297203d376d7d
                                                                                                                                                                                                                                        • Instruction ID: 6605cb3b499a3877160ab944ed78d8a6c5ac032ea4098c26321da645755f3f0a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 808ebe6a4c42923e7d5e813fb5308ebe9c5d6056a42cfb518ac297203d376d7d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EC91FA70A19A8D4FEB84EFA8C854AED7BF1FF55300F1402BED459D71A6DA34A846C740
                                                                                                                                                                                                                                        Function 00007FFD9B3FA0F3 Relevance: .3, Instructions: 262COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7b47fed47aa8ec4650367872ab6570ecb899903964ddcc2e0e5c48af9f5c43e4
                                                                                                                                                                                                                                        • Instruction ID: 74539360b9f1261d610e1096e6f1ad1b3d115121d129059ac88de1faa4e3be2e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7b47fed47aa8ec4650367872ab6570ecb899903964ddcc2e0e5c48af9f5c43e4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C812422B1A59D4FE715FB6DA8B64E57FB0EF51228B4903FBD098CB0E3EC0414458351
                                                                                                                                                                                                                                        Function 00007FFD9B600C11 Relevance: .3, Instructions: 261COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f20e698bcafccb32ad1d9f10156bcfd66ff5b4afc6c2f10529d186f2e1092c85
                                                                                                                                                                                                                                        • Instruction ID: 35bdaea97ac3b70bd385a1f0ba67cba298d53c07a6dba2a48cd2b6b99f2af782
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f20e698bcafccb32ad1d9f10156bcfd66ff5b4afc6c2f10529d186f2e1092c85
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 80615921B0EA8E1FF7A5977E54791B43BD1EF96600B0500BBD099CB2E7DD18BD428341
                                                                                                                                                                                                                                        Function 00007FFD9B60A046 Relevance: .3, Instructions: 257COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d67c30fc8d315a58be394a81e28937db1990cdf7347a254080c51816c604da40
                                                                                                                                                                                                                                        • Instruction ID: f455bacecd8bac7d05bad60b5a0c46fbe8298992a1f326e87beeaaced8b1c3dc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d67c30fc8d315a58be394a81e28937db1990cdf7347a254080c51816c604da40
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E4710761B1EE4F0BEBAC9B6A5075A7977C2EF9538074400BDD0AECB1EBED19BD014240
                                                                                                                                                                                                                                        Function 00007FFD9B3FE9F2 Relevance: .3, Instructions: 255COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a22ae11008b0f75c2eaab8af4c7b10f16a4a9ed88d4887d0fc9b2541c912a0c5
                                                                                                                                                                                                                                        • Instruction ID: 3a6592b578fa42ac3b88017ec2b7270397edd12f1f5b64886983b995836f65bb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a22ae11008b0f75c2eaab8af4c7b10f16a4a9ed88d4887d0fc9b2541c912a0c5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D9618F22B0ED4E0FF774A6AC58696B57BC1EFA976070501FBD48DC72A3DD14AC069381
                                                                                                                                                                                                                                        Function 00007FFD9B3F4053 Relevance: .3, Instructions: 253COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7895038b0a4810ec5a19b5e6d6b9e604f7f7f5d61a622de909155cc1de1138a3
                                                                                                                                                                                                                                        • Instruction ID: 9895f2b40d09718faedd2b5fa5943467f9cb1c9f01211c4bdda6288791dadf9d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7895038b0a4810ec5a19b5e6d6b9e604f7f7f5d61a622de909155cc1de1138a3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AB812431F0A64D4FF764EBA998656FCBFA0EF52310F45027ED05D971E2CA3866468B40
                                                                                                                                                                                                                                        Function 00007FFD9B604949 Relevance: .3, Instructions: 251COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: dc207153c83a90fdf3cf45ca94f689b8e2f37c8b330e093f2138f4161629b3ee
                                                                                                                                                                                                                                        • Instruction ID: 7f6ef94c096e64faa776725aa350928a44d19674482335bdd1d6f3cfa1cbbb7c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dc207153c83a90fdf3cf45ca94f689b8e2f37c8b330e093f2138f4161629b3ee
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1371C272B0A94D4FEBA4EB9E84696B937E1FF69300F05017AD49DC71A2DE28BD41C740
                                                                                                                                                                                                                                        Function 00007FFD9B602CD3 Relevance: .2, Instructions: 248COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 44ce145c5136247092bb4d1fbbcf1231d4824131f1ea5a016ce144f0af5436e1
                                                                                                                                                                                                                                        • Instruction ID: 1e68ba344b7e23ee987be2cb21fd27eec50e7c068189454d8e85b01f3bf456d5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 44ce145c5136247092bb4d1fbbcf1231d4824131f1ea5a016ce144f0af5436e1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 63719331B1995D4FDBA4EBADD464AE83BE1FF59310B0501B6D09ECB2A3CE24EC418740
                                                                                                                                                                                                                                        Function 00007FFD9B3FBF69 Relevance: .2, Instructions: 241COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6d4742543a8ce5640268cdb05634ed29a5d17e59eaa093c0e89618056f07619a
                                                                                                                                                                                                                                        • Instruction ID: 107c9d5b113f49e9e3486504626f92625224620570f4a91f12b0c35f696371ee
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6d4742543a8ce5640268cdb05634ed29a5d17e59eaa093c0e89618056f07619a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AD511861A4F7CA0FE767977848355647FB1AE5324074E41EBC489CF1E3DA1CA94AC322
                                                                                                                                                                                                                                        Function 00007FFD9B3FD76E Relevance: .2, Instructions: 237COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2a5eab63f23b6f648c146d2d73d48aac9fcf5ed473f88343236bba3cc3ce4256
                                                                                                                                                                                                                                        • Instruction ID: 9e1ab0cb0f452a21842f0cb55a6339da10ce6e085ac7a3c0e0bd802ebe72b70c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2a5eab63f23b6f648c146d2d73d48aac9fcf5ed473f88343236bba3cc3ce4256
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 12513A72B0E98D0FF765EBAC98692B97FD0EF46220B0502FED049C71A6DD253D468391
                                                                                                                                                                                                                                        Function 00007FFD9B60E938 Relevance: .2, Instructions: 235COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: aebb639cf031994d9de4b60d10329c97771eaf902efd0df18bc74c8a881807d4
                                                                                                                                                                                                                                        • Instruction ID: 7e6f45f5257a8732dae4483ef6f1c538b9d460b39f3b3d6ebfa4665ebe36fc4e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aebb639cf031994d9de4b60d10329c97771eaf902efd0df18bc74c8a881807d4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BE711570D08A5C8FDB98DF59C885BE9BBB1FB59300F1082AAD04DE3251DB74A985CF41
                                                                                                                                                                                                                                        Function 00007FFD9B3F4667 Relevance: .2, Instructions: 230COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ae8075e958b7f0f84e78c20a9bebeb6d4285f1814fc7fb14db02a1bcc0aeee8a
                                                                                                                                                                                                                                        • Instruction ID: 4506092b658e1ed5de02066fb9ce848d95e268082429b280e87cd79dd3b5bf91
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ae8075e958b7f0f84e78c20a9bebeb6d4285f1814fc7fb14db02a1bcc0aeee8a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D681B870A19A8D8FDB84EFA8C855AEDBBF1FF59300F1402BDD419D72A6DA34A446C740
                                                                                                                                                                                                                                        Function 00007FFD9B3F8A55 Relevance: .2, Instructions: 230COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7d86476192118d984bf354e87be257d9177d830cca5884e7f3d905b95825a220
                                                                                                                                                                                                                                        • Instruction ID: f11b321a27f4da22606a4f8aa92d7be946b1b41d98a90188e569b8972645f1d7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7d86476192118d984bf354e87be257d9177d830cca5884e7f3d905b95825a220
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A3710770E1E68D8FEB69EBA498655F9BFF0EF06310F0502BED049971A2CA2D2545C750
                                                                                                                                                                                                                                        Function 00007FFD9B3F8D32 Relevance: .2, Instructions: 224COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d1a81e7c0b93c9ced6d8ec254275f93a98fb67ea9a68be0055bf1f944fa49fd2
                                                                                                                                                                                                                                        • Instruction ID: e0bc1d98eb90275957f62d6e5b798f03d489d7bf1daf5cf69069f8f10c79ca41
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d1a81e7c0b93c9ced6d8ec254275f93a98fb67ea9a68be0055bf1f944fa49fd2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EF71C470E0E68D9FDB95EBA8C865AE97FF1FF56300F0401AED049D72A2CA395945CB40
                                                                                                                                                                                                                                        Function 00007FFD9B608240 Relevance: .2, Instructions: 222COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 65cdf8adce933f97a76f8747f5b12aa3c61bb3b054da415d7a9a36bbb8b07a86
                                                                                                                                                                                                                                        • Instruction ID: 30fbae18b82bf66a6003ef75ff319c6c4d337b23e1f60adba7378bd033f53eb7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 65cdf8adce933f97a76f8747f5b12aa3c61bb3b054da415d7a9a36bbb8b07a86
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 33612731B1EA4D4FEBA5DB6948747A97BD2FF8A300F0901FAD09CC72A6DE2479018741
                                                                                                                                                                                                                                        Function 00007FFD9B609888 Relevance: .2, Instructions: 220COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7939faec783cfea7dfe1a0dfbc5587c0eec9148f5b78ec10f4a4aaa410157b8c
                                                                                                                                                                                                                                        • Instruction ID: 8f5cb0d45f3d9a232cde130b7375d8ec39681bef245d1f56a716c856513a669d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7939faec783cfea7dfe1a0dfbc5587c0eec9148f5b78ec10f4a4aaa410157b8c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 52517E21B0FB490FE764A66E64761F537E2EF97224F09017AD4D9CB1E7DD14B8424381
                                                                                                                                                                                                                                        Function 00007FFD9B601CC5 Relevance: .2, Instructions: 217COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: dc8b2112801d9f5c929c830f5e9a44b12ae420fbab52b12221858080d343a076
                                                                                                                                                                                                                                        • Instruction ID: c73e4126d86c2d2085666815fe8f20e466789d61c21d6c3cfff5cbebb0bcc373
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dc8b2112801d9f5c929c830f5e9a44b12ae420fbab52b12221858080d343a076
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 15619330729A494FDB94E76DC465BA9B3E1FF99300F0145B9E09EC72E6DE24BC418781
                                                                                                                                                                                                                                        Function 00007FFD9B6003EC Relevance: .2, Instructions: 215COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 38653ecb10388579d57aa7987ecfa8f0247fe44a7e0a3f46ba8372b8a3ae290a
                                                                                                                                                                                                                                        • Instruction ID: f5a6e8c27733bfe44ffcdf48459f04d872605f410e309b261249a2f3bd8edf29
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 38653ecb10388579d57aa7987ecfa8f0247fe44a7e0a3f46ba8372b8a3ae290a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4651F432B1DE4D4BE7A99A5E44A457977D1FF99B00B0500BEE0ADC72E6DE24BC428381
                                                                                                                                                                                                                                        Function 00007FFD9B3FE648 Relevance: .2, Instructions: 213COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2535aa7ef89258411ed27d562ba0d902fe04a7f5d8fcfa1c5bf13a58bed8ed20
                                                                                                                                                                                                                                        • Instruction ID: 7fae4aa7cc461f85994a62c0f879abc43cfcec9aca1085de3eab5cd3b2448ba7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2535aa7ef89258411ed27d562ba0d902fe04a7f5d8fcfa1c5bf13a58bed8ed20
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 48512130719A0E4FE7689A58D895A7173E0FF99314B15067DE4CEC3662DA29F8838781
                                                                                                                                                                                                                                        Function 00007FFD9B3F4C41 Relevance: .2, Instructions: 210COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0ac471fdb78b59c17d4c3b8d799692cf5e314e3ac614e66496a6875acf62cbc7
                                                                                                                                                                                                                                        • Instruction ID: d07e0c62ded92893a7abd9c800af861b2727346746e18e85c85739ceb46325ec
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0ac471fdb78b59c17d4c3b8d799692cf5e314e3ac614e66496a6875acf62cbc7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 46612771A1EA8D5FE7A5EB7C98286E97FE1FF45310F0402EED049D72A2CE246945C740
                                                                                                                                                                                                                                        Function 00007FFD9B402675 Relevance: .2, Instructions: 210COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6b52c7fae40f3b4fcdcf58ec7e34dfb74c2b3faeeed7c0c3b4523d3559bf10ed
                                                                                                                                                                                                                                        • Instruction ID: 54729d11f5cded814c703e92cbc350bba934f42f073d1871b54b285a79acb661
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6b52c7fae40f3b4fcdcf58ec7e34dfb74c2b3faeeed7c0c3b4523d3559bf10ed
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 45512432B1A6594BD765BBACA4668E93BE0FF50328B0502BAD0DDC71D3DD1464868781
                                                                                                                                                                                                                                        Function 00007FFD9B3FA858 Relevance: .2, Instructions: 202COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ea45b4ff6212dd9c225d7a05a742528526b59b8309aaae17f28f0b57ffca9ce2
                                                                                                                                                                                                                                        • Instruction ID: d98288f2028ba109ad7486ae799d820aeae33f031e31b86b0e8e492261544f5e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ea45b4ff6212dd9c225d7a05a742528526b59b8309aaae17f28f0b57ffca9ce2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9F51C402F2F99E0AF776B2E864314F86FB1EF51764B0943FBD0AC461EB9C4879464241
                                                                                                                                                                                                                                        Function 00007FFD9B3FA850 Relevance: .2, Instructions: 202COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6143e4ade14c150f971c739786536a3d73fde74896a608fe7e4c1dc66ecc7d8a
                                                                                                                                                                                                                                        • Instruction ID: cf7d64726c00f4519bea6c50cc83357b340d871ece6c9ca48b69bea5431d9c7d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6143e4ade14c150f971c739786536a3d73fde74896a608fe7e4c1dc66ecc7d8a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F451D402B2FA9E0AF776B2E864314F86FB1EF51764B0943FFD0AC461EB9C4879424241
                                                                                                                                                                                                                                        Function 00007FFD9B60000A Relevance: .2, Instructions: 194COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3969a3839b90ba3f0cc9a254a9655b3842482ccb6ef2fc7a70dbca4d6d4a0916
                                                                                                                                                                                                                                        • Instruction ID: 126b8426b4150912e9f8058c70bd0d50f5b77f7383e217504cca475943ca9ba7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3969a3839b90ba3f0cc9a254a9655b3842482ccb6ef2fc7a70dbca4d6d4a0916
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DF51C362A1EBDD4FE766866E5C715643FE0EF4BB10B0A00FBE0D9CB1A3D91868068351
                                                                                                                                                                                                                                        Function 00007FFD9B402AB5 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ecfb0a3d4a4790e010d14e15c32f430203a2340d5fc004b9ec46ff31b8b6d7ce
                                                                                                                                                                                                                                        • Instruction ID: 742c0dc16b455e52fc9c6e66065d4e779e0be0a18ca75607497382875c7c9fcf
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ecfb0a3d4a4790e010d14e15c32f430203a2340d5fc004b9ec46ff31b8b6d7ce
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EB51F923F0F55A0AE7657BFCB8715F57B91EF4222970D02F7D09C8A0E7DC0A68828685
                                                                                                                                                                                                                                        Function 00007FFD9B3F7100 Relevance: .2, Instructions: 182COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e1be68eb881c831965869fb3d0028dd29693cf1ced721c0cc69c2770b4e4d988
                                                                                                                                                                                                                                        • Instruction ID: 388968b2ae9d2a2315d1f3adbf8d9f5395bedfbba7a3a07063196718ca52ae83
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e1be68eb881c831965869fb3d0028dd29693cf1ced721c0cc69c2770b4e4d988
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6B411332B1A92C8BE764BBACB859AF97BE1EF94331F0402B7E40DC7196CD14584983C1
                                                                                                                                                                                                                                        Function 00007FFD9B605C94 Relevance: .2, Instructions: 180COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ed482122048107ba3b674b9fc1a4400f2d41ee7948b2bac74feb4eb2d1c5a844
                                                                                                                                                                                                                                        • Instruction ID: 3221da11f4ce19500ec690cc2bf2701e7fa006a9e372d9b21dbebb1226dd9ece
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ed482122048107ba3b674b9fc1a4400f2d41ee7948b2bac74feb4eb2d1c5a844
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5641F271B0EF0D4FDBA4DE5D845957A77E1EB99310B14027BE489C72A1DE20FC028785
                                                                                                                                                                                                                                        Function 00007FFD9B3FADFA Relevance: .2, Instructions: 178COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: fc503b8cd2180e1d047bc09d8cf8c69931cba6611bd6e39935cced95c57f4eb3
                                                                                                                                                                                                                                        • Instruction ID: 6508e85ef050c6a43cb0f9413448d374e655c395839e237d06e211f9d0e7bc1b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fc503b8cd2180e1d047bc09d8cf8c69931cba6611bd6e39935cced95c57f4eb3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DE41E822B1EE4E0FE7A5E76C94645A57BE2EFA925070502BBD04DC72E6ED18A8024351
                                                                                                                                                                                                                                        Function 00007FFD9B615170 Relevance: .2, Instructions: 177COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b3b649f42ed99c37872de2b8ecf560434e605dcb59f5dad298753040c4cc5a99
                                                                                                                                                                                                                                        • Instruction ID: bf1dec731140c9b4bfeeb07f211a15780d1f0c1100076178a66d143711b8cd01
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b3b649f42ed99c37872de2b8ecf560434e605dcb59f5dad298753040c4cc5a99
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A7512A73A0E79B1FE716DB6894B15E47FA1EF42214B0941FBC4A88F0E3EA1478058765
                                                                                                                                                                                                                                        Function 00007FFD9B6069DA Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ab390cd74896455f972e647e107715e077296f2dc240ed4cb22b544f4f0d1187
                                                                                                                                                                                                                                        • Instruction ID: 9187dc76af3487094d2d1f5108b46ab2a3d1028a804beaedaa26b913df5a36f9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ab390cd74896455f972e647e107715e077296f2dc240ed4cb22b544f4f0d1187
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 39514B70B1E64D5FE365EBB48869DB97BA1FF85304B5145FCD09A8B1A3CE28B902C740
                                                                                                                                                                                                                                        Function 00007FFD9B3FBAED Relevance: .2, Instructions: 175COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 305fe4e46cb4153a1d5ca263761d7139c9c64d93b743f9d2639a1bf6084ed226
                                                                                                                                                                                                                                        • Instruction ID: 410f04716a9202de24ea71b2a839eadff3e3f05f99e968f057d1ee288540936a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 305fe4e46cb4153a1d5ca263761d7139c9c64d93b743f9d2639a1bf6084ed226
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EE512762B1E68D9FE759EBB898765E9BFA0FF11214F0803FED0998B0D3FD1421458681
                                                                                                                                                                                                                                        Function 00007FFD9B613139 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ddbee7677dec7999119d0ed75d649808feefb8614bdb9856e07a1a1470551441
                                                                                                                                                                                                                                        • Instruction ID: 68909db8fc80a295cadebe9acf0c57361b25e1bd3d69a88fb6634bd2208e8bd3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ddbee7677dec7999119d0ed75d649808feefb8614bdb9856e07a1a1470551441
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AC512970A19A4D9FDF94EF5CC4A5AAD7BE1FFA8340F05016AE45DC72A5CA34E840CB81
                                                                                                                                                                                                                                        Function 00007FFD9B3F6451 Relevance: .2, Instructions: 169COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 381bc733a4d5b896ab5bb961f56eb61c0b790ce9fd72df0de9ef5f591e32e2a1
                                                                                                                                                                                                                                        • Instruction ID: f9ec9d0f78d0bee47abddda7c703a276490fcdf4695c7328e27b581a31f8f3b1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 381bc733a4d5b896ab5bb961f56eb61c0b790ce9fd72df0de9ef5f591e32e2a1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 95511E70E0D55D8FEBA8EBA4C4657BDBBB1FF55300F5594ADC00EA72A2CA346985CB00
                                                                                                                                                                                                                                        Function 00007FFD9B4026FA Relevance: .2, Instructions: 162COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 612a08ca43a0bb75cb7bb69640ac84e009e5549f1ba787c3264019b71cffd215
                                                                                                                                                                                                                                        • Instruction ID: 93d1a595c3f29ecc75e3e349418449450c85de6d1b56a64ab42a0d61a7772a73
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 612a08ca43a0bb75cb7bb69640ac84e009e5549f1ba787c3264019b71cffd215
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 33412731B19A5D4FDB59AFA8D4665F937E0FF54318B0102BAD0DDC72D2EE24A9428780
                                                                                                                                                                                                                                        Function 00007FFD9B3FF5C4 Relevance: .2, Instructions: 162COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9f0b69758c2a7d2f9cd1a16630ca09edbc3fc18b41ecf78ecf3eb6a6e36719af
                                                                                                                                                                                                                                        • Instruction ID: ad9f5ec6a6a732de0816f4250dfefa88283b056aaad1f5ac6fca09a5a522c752
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9f0b69758c2a7d2f9cd1a16630ca09edbc3fc18b41ecf78ecf3eb6a6e36719af
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5E515171F1591E4BEBA4EB5CC8A97E8B7E1EF58310F1002F9941DD32A6DE356E818B40
                                                                                                                                                                                                                                        Function 00007FFD9B3F04FA Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e1334340b99669cc9c94ab552428cf2038d60c9303eb2c08880398c145594b17
                                                                                                                                                                                                                                        • Instruction ID: 971fb31946080afae242411862982f5baa22e0788ec96da81d57d3802fb0f1e0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e1334340b99669cc9c94ab552428cf2038d60c9303eb2c08880398c145594b17
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8951BF70E0964D9FEBA4DBA8D8A57FDBBF1EF45300F0001BAD449E32A1CA385955DB81
                                                                                                                                                                                                                                        Function 00007FFD9B3FA00D Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: afb0c2f05c29aa18c678fee892156364db2d47d81e0aef73bbb196cd7a8a4e89
                                                                                                                                                                                                                                        • Instruction ID: 5684b54e6c48103e7bb242cfdb3affec2a10372292f7a8b450e0dbc7d7e527f6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: afb0c2f05c29aa18c678fee892156364db2d47d81e0aef73bbb196cd7a8a4e89
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D041D230B1DA498FEBA5EB2CC0A4E7277E1EF58304B0545B9D08AC72A6CA24F945DB40
                                                                                                                                                                                                                                        Function 00007FFD9B3F35C7 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 11254976f12441a897ccdef56dd3630d2bfb464f0aee4016d9d7bc450dbb3bc3
                                                                                                                                                                                                                                        • Instruction ID: effa4fc51674eee8a8dba9e9e2218f708004ee289e007c71aee8c63d8a36e92b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 11254976f12441a897ccdef56dd3630d2bfb464f0aee4016d9d7bc450dbb3bc3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7641EB60A1E58D1FE3A5DBB88C695B9BFE0EF47214B0402FED089CB1F2CA143906CB40
                                                                                                                                                                                                                                        Function 00007FFD9B3F3048 Relevance: .1, Instructions: 144COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3e587498ac04299a8a0eadcc3a90a80336ea6f1103458251b82b5eb225f82edd
                                                                                                                                                                                                                                        • Instruction ID: fac82bcdb1ec32a7842296c759770387dd14f1eb93850f652028746ff38c5c90
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3e587498ac04299a8a0eadcc3a90a80336ea6f1103458251b82b5eb225f82edd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5F41C631A19A4D8FDB94DF58C855AFD7BE2FF98314F44017AE409E32A5CE35A815C740
                                                                                                                                                                                                                                        Function 00007FFD9B400210 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: cf7d20e0907b9a57cd5cf4d077db1c7cef1bdce769a345657a719748b6899123
                                                                                                                                                                                                                                        • Instruction ID: e16d55eb2978aa2311c1912f2a9e74b810b25fa1481cd103e46bfc2d476f3376
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cf7d20e0907b9a57cd5cf4d077db1c7cef1bdce769a345657a719748b6899123
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3E418031B09A0D4FDBA8DF98C4656BA37D1FFA8314F11017EE49ED32A5CE25E9029781
                                                                                                                                                                                                                                        Function 00007FFD9B3FB908 Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c4876a5c64e8d1da33b44f27aeefcd14883c5c3aad3af13f331e6f1e4617cae7
                                                                                                                                                                                                                                        • Instruction ID: 2c3cb3cb9ef577009b408af9a1291d5b59ec5950048a3ceb02f4032cc679ef06
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c4876a5c64e8d1da33b44f27aeefcd14883c5c3aad3af13f331e6f1e4617cae7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C412932B1D5094BE728FB98E4A28F57BA0EF5432470502BED09A8B1D7ED1474468784
                                                                                                                                                                                                                                        Function 00007FFD9B3F3CAD Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0c0623cef0a8c4647d931a07ff67901337779a13dde5213a69dfb62478e62474
                                                                                                                                                                                                                                        • Instruction ID: 803ed00d3617685356037935e5410fdaeb238a0194d216794e225bf21f4952e0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0c0623cef0a8c4647d931a07ff67901337779a13dde5213a69dfb62478e62474
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C641FB71F1A51D8FEB94EB98D4A56FCBBB1FF58300F51013EE44EA72A1CA3869458B40
                                                                                                                                                                                                                                        Function 00007FFD9B60D97C Relevance: .1, Instructions: 132COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d91aa622e4ff6f9315aa1dfd68ba3af6fb26b1ab7ff8f1e55c49614815b93750
                                                                                                                                                                                                                                        • Instruction ID: 5846fc562fa788b52e605f0bf059e94405997e5deb36d910793679bf168328ce
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d91aa622e4ff6f9315aa1dfd68ba3af6fb26b1ab7ff8f1e55c49614815b93750
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9331BE62E0F7CD4FEB568FA598255A97FB0EF47300B0901EBD498DB1A3CA283905C742
                                                                                                                                                                                                                                        Function 00007FFD9B5706ED Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2375885450.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a4a1bb86db787e373bc3cf07cf55b156890e72ccbdb99253d4811986dbaad846
                                                                                                                                                                                                                                        • Instruction ID: da6a0887bad90797e8e2edd8596dd13da5b6aac9b4d960cc78ab56025273fbb4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a4a1bb86db787e373bc3cf07cf55b156890e72ccbdb99253d4811986dbaad846
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6731F671A0E68D8FDFA2CF688CA55E97FF0FF55640F0902A7D048C71A3DA246A42C791
                                                                                                                                                                                                                                        Function 00007FFD9B60C619 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 32cd072b6c986623426b78df3021f1fcc95ba3f6b991a5d056a45a4d17f890ee
                                                                                                                                                                                                                                        • Instruction ID: 275c99cd0b4768103126c3b98cfd17e4f6976c6033339071f0b9a51bb04b3796
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 32cd072b6c986623426b78df3021f1fcc95ba3f6b991a5d056a45a4d17f890ee
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1341493061E68D4FD765EBA98865AB13FF0EF56304F0904FAC099CF1A3D629B941C751
                                                                                                                                                                                                                                        Function 00007FFD9B611985 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ad77b162054af0530c295efad3a5f10b46419ed9c26bb9bdac6268d5815518e4
                                                                                                                                                                                                                                        • Instruction ID: a5388ea63d2de7544e2641828e654feb60c286abec5e766724b26d53bea1e076
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ad77b162054af0530c295efad3a5f10b46419ed9c26bb9bdac6268d5815518e4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1C31082071EB5C0FD764975C98657767BD1EF85B10F0502AFE489C72A6CE24BD4183C2
                                                                                                                                                                                                                                        Function 00007FFD9B3F5783 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 34b506e945d14d70313a0867df387ee64b19e692695b9ad6144c9babc60cb38c
                                                                                                                                                                                                                                        • Instruction ID: c5e695820cf0397ec0ca8e95ecbc0a40972f8d9632a478d1f257c966524d4910
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 34b506e945d14d70313a0867df387ee64b19e692695b9ad6144c9babc60cb38c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4041A030B0A95C9FEB94EBA8D4256FDBBB1FF4A301F12047ED049E32A1CA796945C740
                                                                                                                                                                                                                                        Function 00007FFD9B5707BD Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2375885450.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 905cf35e1f0fe6a7e15fae282dc509a51b41bfb326ead4bca976944aa514f955
                                                                                                                                                                                                                                        • Instruction ID: 6372bf0603ec9e8b1842319ccc6625a9bbbaa979475b6e652195bd2ee6114dbb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 905cf35e1f0fe6a7e15fae282dc509a51b41bfb326ead4bca976944aa514f955
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4731E871A0F68D4FDFD2CFA48CA55E93FF0EF55640B0A42E7D058C71A3D9246A568780
                                                                                                                                                                                                                                        Function 00007FFD9B40CAD8 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ddc0440ca11bc2d0353468f4a8e0191a803e273b85cfbe96359e334aca26b7f6
                                                                                                                                                                                                                                        • Instruction ID: 87d1a59305f0d5fc1ae376bb5f05b6af6fbfb884d7e83399d1ef2781b3f6da04
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ddc0440ca11bc2d0353468f4a8e0191a803e273b85cfbe96359e334aca26b7f6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 85312613F5E98E0FEBB992BC94745752BD2DFC525074A05FBD089C31E6DD18A9139340
                                                                                                                                                                                                                                        Function 00007FFD9B3F9D55 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 334403c7640e2f7e16aa06ff9081909e98a4860d1f50d3b86c1c20a5020e6ce9
                                                                                                                                                                                                                                        • Instruction ID: 9a927872fbdda82d1edf638cec65c6293e2d3ecdacab590c826e76c584a3a712
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 334403c7640e2f7e16aa06ff9081909e98a4860d1f50d3b86c1c20a5020e6ce9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0731585422E9CC1FD3A697B829BD4F6BFF1DE4B0147480ACAD4C48B163C50A691BE355
                                                                                                                                                                                                                                        Function 00007FFD9B400248 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6d1fb5223c9d496e5e2b5f225ca74e2dbf9f93fbb98dc3b6554078720ff958f7
                                                                                                                                                                                                                                        • Instruction ID: 95e85e85b45730945179fc16dd8ab86dc0ed04c7ed4f859ee456ff55ff4acd93
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6d1fb5223c9d496e5e2b5f225ca74e2dbf9f93fbb98dc3b6554078720ff958f7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AC310831B1DA494EE7A0D658D494676B7C1EFA4328F05057AD48CC32B1CA68EA91D387
                                                                                                                                                                                                                                        Function 00007FFD9B606D31 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d9f3ff1a028c254b5955d5a34ed40dd225c401545e5c8bd08f14f34d99ef54c2
                                                                                                                                                                                                                                        • Instruction ID: 76736c6d35a89498f163cc7987b2601b3f496f5621cdb4019af78ebbc152b2d9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d9f3ff1a028c254b5955d5a34ed40dd225c401545e5c8bd08f14f34d99ef54c2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3F315D71B1FA8D0FE37997BA54255B97BD1EF45304F0505FDD0AA8F0E2DD19B9018240
                                                                                                                                                                                                                                        Function 00007FFD9B610896 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 22cd3087cb8b88abe81bbc3c9bb0ce921128bda5444e56752ee69dbc8c431c23
                                                                                                                                                                                                                                        • Instruction ID: 9b5d496985d9faf98a7a2ae2a202e54d32362b32b60b823287a99707c88b2a23
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 22cd3087cb8b88abe81bbc3c9bb0ce921128bda5444e56752ee69dbc8c431c23
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4131A071B1D94E4FEFA8EF5884A19A973E2FF64700B1041BAD05ACB196DE25F9028780
                                                                                                                                                                                                                                        Function 00007FFD9B600080 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e1ca1be723283e986d425bae826a314a95f7809c5e3fdf390ee7f137214e47a0
                                                                                                                                                                                                                                        • Instruction ID: b69a2b27836f14ff8f65ea249b3576986ca8a78c3be95a4a1361ba42dd5be993
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e1ca1be723283e986d425bae826a314a95f7809c5e3fdf390ee7f137214e47a0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C1210B72B1EA5C0BEB688A5E5C711B977D1EF8AB14F1500BEF4DDC32A3D91478038281
                                                                                                                                                                                                                                        Function 00007FFD9B607949 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9b0edc4f84a12ff283fe2544a4a39006f3ef9a466ce61911bed6caa64b4508ef
                                                                                                                                                                                                                                        • Instruction ID: 29125cccd5a98b579117f48e53ec4692b0d41f5d779dceb7c00de68db8e0d7a2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9b0edc4f84a12ff283fe2544a4a39006f3ef9a466ce61911bed6caa64b4508ef
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9121EA6171EACC1FE796D76D58296753FE1DF6B61070A01EBD488CB2B3E9096C068381
                                                                                                                                                                                                                                        Function 00007FFD9B3FD2B8 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c8cceb14e92dccb7a7367db003f287f833b0f6c169425ef5a3783d488e37d236
                                                                                                                                                                                                                                        • Instruction ID: 82c6c47032c3729ab380e556acf599c009ccc4d2b73037beb2d17b3a7adc75ab
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c8cceb14e92dccb7a7367db003f287f833b0f6c169425ef5a3783d488e37d236
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 99213A3170A91D1FE7A4DB5CE8247B9B7C1EF88315F4501BAE48DD73A5CD1AA94283C1
                                                                                                                                                                                                                                        Function 00007FFD9B60C41F Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: dc2dab6ed49ea4d4affc501a8e2491a9c42cb749a89c641aed0b9b8786ac925f
                                                                                                                                                                                                                                        • Instruction ID: 3f6bb4a0ee22ce9fda5eb6496146e99702c66f9d2e95c3b238dc4e05e97edd39
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dc2dab6ed49ea4d4affc501a8e2491a9c42cb749a89c641aed0b9b8786ac925f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 62210972F1EA4E0FEB68AB6968251F877E1FF46210B0501B7D46DC71A6DD2979024340
                                                                                                                                                                                                                                        Function 00007FFD9B3F5201 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 723bb48c82a103da5176f5ac018acc143aca4899ec5fec895c39247993f80586
                                                                                                                                                                                                                                        • Instruction ID: 07a63b0dc691f019619e3bcbff8e37bdfa581cccb415b03548b2be4aeef5e54e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 723bb48c82a103da5176f5ac018acc143aca4899ec5fec895c39247993f80586
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2D31E370E19A4C5FDB84EFA8D8655FDBBF0FF59300F0005ABD009E32A1CA24A945C781
                                                                                                                                                                                                                                        Function 00007FFD9B402969 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 74e030b75e4bb101954323ed388a346fcfd2e3ba44a0c9c3b3de1099bb6bb1f5
                                                                                                                                                                                                                                        • Instruction ID: d375e6ac309971e011bde0bc4d898ab6879e0735f3f5b59521954ac908b740fa
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 74e030b75e4bb101954323ed388a346fcfd2e3ba44a0c9c3b3de1099bb6bb1f5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 24219F22B4E7D90FD76B47B898765A13FB1EF4222431A41E7D084CA1E3D91E9D87C352
                                                                                                                                                                                                                                        Function 00007FFD9B3F852F Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 4f09819e4238a53d2af17d1199765bfca4687bba8a4aa2eeb5227b213ead99a2
                                                                                                                                                                                                                                        • Instruction ID: 0aaf08b3a02483db95cd0d00dadc5aec975acc1ea0830a78fdbb8e4c91d31b7d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4f09819e4238a53d2af17d1199765bfca4687bba8a4aa2eeb5227b213ead99a2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BC319831E0994D9FEB55EBA8C9555ECBFF0EF19310F5402BDD04DD7192DA3825428741
                                                                                                                                                                                                                                        Function 00007FFD9B3FB8D0 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b6ad33748bfe8f213be7d1fb03779964faaf05461fc0218ff6b65114cc1c1e8f
                                                                                                                                                                                                                                        • Instruction ID: dc4e2e56c9ab5f30cd1f2033e3bebd04e88660622a459c291a342ec504bedb36
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b6ad33748bfe8f213be7d1fb03779964faaf05461fc0218ff6b65114cc1c1e8f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AF210731B1CA0A4BE768EB98E4928F677F0FF5432471402BED05AC3597EE24B9428784
                                                                                                                                                                                                                                        Function 00007FFD9B3F2E38 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 529d52c3c4fcc4f331fa6081c3188d23f4c2ca017f7c5a535c359a0d9fac19a8
                                                                                                                                                                                                                                        • Instruction ID: 33c288cf48752ee84d15d0ee6a276868b07fb0a2cd0f219ed106d6975b04bb15
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 529d52c3c4fcc4f331fa6081c3188d23f4c2ca017f7c5a535c359a0d9fac19a8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 75212862B1E9CD4FFB61EF6C9C502E97FA1FF65200F5501BEE448C60E6DA206901C740
                                                                                                                                                                                                                                        Function 00007FFD9B3F89A5 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 28a01288715c8b76673f6604e2213cd43057d7e591511a6450ac2776f37f0c80
                                                                                                                                                                                                                                        • Instruction ID: d86e09a682072f7506fd370a6ee624f3fef2319af4913f95e3bf009c6088913d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 28a01288715c8b76673f6604e2213cd43057d7e591511a6450ac2776f37f0c80
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1521E530A0EA8D8FEB78EAA494546F8BFA0EF46310F0507BDD45C971E1DB356645C744
                                                                                                                                                                                                                                        Function 00007FFD9B613CD1 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f52defe401bdddc1f6b5922fb757d3af662e88aa9e96c15b691e5e8dde1d1894
                                                                                                                                                                                                                                        • Instruction ID: 113fa662752e883977ce08f448b29ced3d72ffe2c66198d673f7d1682298e908
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f52defe401bdddc1f6b5922fb757d3af662e88aa9e96c15b691e5e8dde1d1894
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2F219D3170EA4C9FC795DB6C98A8A647BE1FF9D31071A01EBE04DCB2A2DA11AC41C745
                                                                                                                                                                                                                                        Function 00007FFD9B3FEAE0 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d4890482f4a5be763ac3e8c4c54f6ad5a3f88e6df34740ea39775e903fc71e58
                                                                                                                                                                                                                                        • Instruction ID: c2f2ba09583474f448e12e4a14228d9e9a2ae19928b6c3f41bc84c9188f280f2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d4890482f4a5be763ac3e8c4c54f6ad5a3f88e6df34740ea39775e903fc71e58
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1B218271E1E99D4FFBA9EB6888652A97BA1FF58300F0101BAD44DC6192DE346A81CB41
                                                                                                                                                                                                                                        Function 00007FFD9B606E93 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ebfa0e75ba34002b01d1381f51a289991c6cf59d35419dd9d401ba480b15ab69
                                                                                                                                                                                                                                        • Instruction ID: 62c1563e4ddb8067669b3925efec11c0fb365319bd0ea61013278454d17b379b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ebfa0e75ba34002b01d1381f51a289991c6cf59d35419dd9d401ba480b15ab69
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8A217C71F1EB0D4FEB6897AA94269B93BE1EF55310F0001BAD05DC71A2DD24B9418381
                                                                                                                                                                                                                                        Function 00007FFD9B3F425B Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5fd46b3d2e2e111eecc4e39694d559afac3972e450e4c29aa9d8c13c7708307e
                                                                                                                                                                                                                                        • Instruction ID: 708dc469ee8886283a3d1e9afd60f1809795e026fcc3e5ae3f9aa5ad6e4b26c2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5fd46b3d2e2e111eecc4e39694d559afac3972e450e4c29aa9d8c13c7708307e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 66219D3198E3C95FE3229BA068225E57F789F03211F0B01FBD088DB5A3C52D569AC362
                                                                                                                                                                                                                                        Function 00007FFD9B3F0C58 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a5e7f771d708c2603e51c0b731243f68c25397d57ced8b34e3ba2e8f2198b035
                                                                                                                                                                                                                                        • Instruction ID: aac59b7391e3423a6aaff361929c8d697ad4674d469f60eff424119581926ee8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a5e7f771d708c2603e51c0b731243f68c25397d57ced8b34e3ba2e8f2198b035
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0C213636A0E6995FE325BB7888225EA7F90FF42310F0502BFC0498B1E2DD2869448681
                                                                                                                                                                                                                                        Function 00007FFD9B3FE918 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 18d523b66fc9700c8ee624d099cc33eeecc6c1e4b40f3607c5ecad539c05f24d
                                                                                                                                                                                                                                        • Instruction ID: 76395edbbea789ad0b4c05130434bd70c2e78f42ec86c1bb68d0931a3719ceec
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 18d523b66fc9700c8ee624d099cc33eeecc6c1e4b40f3607c5ecad539c05f24d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F621575161EACE1FE3A1A77C88645B57FD0DF9628470805FAD0C9CF1BAD8246D09A340
                                                                                                                                                                                                                                        Function 00007FFD9B60C640 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 57a498ca1add6b909abbba85e7b70b368002c69cde8a8c16b3a1eb5dd4a72440
                                                                                                                                                                                                                                        • Instruction ID: 08931479af326724ae8c0203eea07f61cdb80944da13fbaf1c0b6c7993eae22f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 57a498ca1add6b909abbba85e7b70b368002c69cde8a8c16b3a1eb5dd4a72440
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9321763021A50C5FC364EBA98869AB63BE0FF86304F0405F9D059CB1A6D639B990C780
                                                                                                                                                                                                                                        Function 00007FFD9B4060F0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 4a2285990b83a345bdcede8ea50e22a891ba68240d140bb55829fa4ceacfde55
                                                                                                                                                                                                                                        • Instruction ID: 38798fff02487548e52f0720bfaca4359bd0fca9de732a38c11e9ff6a4e17ecc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4a2285990b83a345bdcede8ea50e22a891ba68240d140bb55829fa4ceacfde55
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EE11E532B0FD4D0FE7E445AD7CB51767AC2DB9961970601BBE88DCB277DC229C418281
                                                                                                                                                                                                                                        Function 00007FFD9B6043D5 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8816e61471bca792a59730a5ad258fb88d1801bad605b2cb051a714bcd041817
                                                                                                                                                                                                                                        • Instruction ID: 5c2afc7629365cf7ccfba1ce989ec31f7d99c4cb189fd12e52081dba677449f9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8816e61471bca792a59730a5ad258fb88d1801bad605b2cb051a714bcd041817
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3111903270D9594FD6B5E7A984786793BE1EF59200B4600BED09EC72A2DE18AD418341
                                                                                                                                                                                                                                        Function 00007FFD9B3FBE16 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 74f8f6ecc243a2319259503ab0b05bf043eb33a3850459f075f990e602228441
                                                                                                                                                                                                                                        • Instruction ID: 871fb47b8032bc84b32b7c2e1a86267f761c1caebb879e1ea17c652173018b71
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 74f8f6ecc243a2319259503ab0b05bf043eb33a3850459f075f990e602228441
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 03110DA2B0EECE0FE765E76C54A92F47FD2EB7925170901AFC049C71A3ED186D464350
                                                                                                                                                                                                                                        Function 00007FFD9B3F4F88 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 99b6e6ca1f9c360769f364b843b87c9260ce7606b636ae0f939970fa3703e7ff
                                                                                                                                                                                                                                        • Instruction ID: 2c1f33c6d8d30a6a36ea928e325a71f628eb5aaacada34dea676e0875149db28
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 99b6e6ca1f9c360769f364b843b87c9260ce7606b636ae0f939970fa3703e7ff
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 22218760B1F64E5FF760FBA888296B9BFA0EF45300F8115BDD40D971A3CE2869458B40
                                                                                                                                                                                                                                        Function 00007FFD9B3FA008 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 452e56fbc06d62e4aa856079f780eab6f9a8e4c9817c1cd56305828def7b8957
                                                                                                                                                                                                                                        • Instruction ID: 2d54ea6336dc6725976df5fa8e26d0737faae814cb45a480bc177fd0530ff62d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 452e56fbc06d62e4aa856079f780eab6f9a8e4c9817c1cd56305828def7b8957
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DD11E203F8FA8E0FEB7586A898640782BD29F86254B1A05FBD0C9C70E3D8086D176381
                                                                                                                                                                                                                                        Function 00007FFD9B3FCEAE Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 862e9895e7514fe850a3b296a780496d47144588347df297ada920f10ad2c11f
                                                                                                                                                                                                                                        • Instruction ID: f667d3056ebbf96b7c9b116850176c6ecbd0f81103fd965f7cbacf4c2091e22a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 862e9895e7514fe850a3b296a780496d47144588347df297ada920f10ad2c11f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 52111231B5D91D9FE668EB5CE86666C77D1EF98711B4101AEE04DC3266CE20AC0287C1
                                                                                                                                                                                                                                        Function 00007FFD9B3FD965 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8fa63032feff1492d88278e0faf8aa56e1ec0557bec47ac6c6085943a1744372
                                                                                                                                                                                                                                        • Instruction ID: c77a686fa343e90d53dac7e43416dff06d66e3a94098c3a3cfb300108bd58260
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8fa63032feff1492d88278e0faf8aa56e1ec0557bec47ac6c6085943a1744372
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D4115E6150F7C85FD7069B7888649517FF0EF6720074A46EFD088CF1B3C929A98AC322
                                                                                                                                                                                                                                        Function 00007FFD9B6043F0 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 93a7e03210f9041201be3b2cdd2e141e2fdc811bec7c759ca7ac6422cbf2742a
                                                                                                                                                                                                                                        • Instruction ID: 23735640e8c219f988c933fa3b55da05e23e64f07cca9d34633ee6207ba6e84f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 93a7e03210f9041201be3b2cdd2e141e2fdc811bec7c759ca7ac6422cbf2742a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5411513270981D4FD9B4FBAE8478A7A36E1FF89700B56057DD09EC72A2DE24AD41C781
                                                                                                                                                                                                                                        Function 00007FFD9B614645 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 4993b18d3df82e80574809412fc92e1e9565811776e098879e2cf6a11ab3f18f
                                                                                                                                                                                                                                        • Instruction ID: 919ca851581e986423e43507d442132c9135ed3cc218a1002d19a2a37e1ff78e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4993b18d3df82e80574809412fc92e1e9565811776e098879e2cf6a11ab3f18f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7C01D831648E1D8FDF64E65DC4A4D7437E0EB1930530600EAD49ACB2A2D958FC828791
                                                                                                                                                                                                                                        Function 00007FFD9B3F5C19 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0c1a8931bfbc268cefbeaa33238752b9611af676c5a42b48daf6e9e30f978c10
                                                                                                                                                                                                                                        • Instruction ID: c00a87d38cd9643293b1ebae565fe79800ac20c48e0836bd6c8062ccef493438
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0c1a8931bfbc268cefbeaa33238752b9611af676c5a42b48daf6e9e30f978c10
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E611C47091EACC5FD796EBB848696EDBFF0EF1B200B1809DDC4859B1A3C6296446C700
                                                                                                                                                                                                                                        Function 00007FFD9B60648D Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5e3a970c03092b145534fdaa24ee9ceb8900b7f95f82bd5c66078abb83fd367f
                                                                                                                                                                                                                                        • Instruction ID: ad785d8526229ae081f9c26f51fe6ecfba6087bf6cc97b4096ef326d135378ec
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5e3a970c03092b145534fdaa24ee9ceb8900b7f95f82bd5c66078abb83fd367f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BC01D873B0D90D4BFB68D959A8561F873D1D795331F10413BC44AC76A1EE21F9864B80
                                                                                                                                                                                                                                        Function 00007FFD9B6150FA Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 625eacab0a8d51be8521df3d60dea5e13290d58d814cf9428b24b00417dfa8ff
                                                                                                                                                                                                                                        • Instruction ID: 91d493d0f845611c2b4c02ef890c284b85ef443093b1be606e33843f139fa65e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 625eacab0a8d51be8521df3d60dea5e13290d58d814cf9428b24b00417dfa8ff
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3C114223A0F3A61FD711FBACE4F19D57F61AF5221871902F7C0988E1A7DD09348686A5
                                                                                                                                                                                                                                        Function 00007FFD9B3F748A Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: dd68806980a8f359d3fe630f04339cb73a13719456b3b34d7919b2adc9ea0048
                                                                                                                                                                                                                                        • Instruction ID: d261ad1d8261133a9c0d212ebf14215d1d2b1106f08a8f766b6878f789d4b65f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dd68806980a8f359d3fe630f04339cb73a13719456b3b34d7919b2adc9ea0048
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2811B675E0991D8EEBA8EF9894656BCBBB1EF55301F0111BAC00DE3261CA306981CB00
                                                                                                                                                                                                                                        Function 00007FFD9B3FA680 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 896acf314fb98203cecc7531684961bb4c1ee1fe2d53bfe35064758d36971027
                                                                                                                                                                                                                                        • Instruction ID: a25fb16b97c98557321f7fa9a39c54cd5efee1b4f7d21be4b459a7750f716625
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 896acf314fb98203cecc7531684961bb4c1ee1fe2d53bfe35064758d36971027
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 97018631B1990D0FEBA4EA9CA85477677D5EB98361B41027AE40DC32A6ED55E8414381
                                                                                                                                                                                                                                        Function 00007FFD9B3F5E82 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 93fbfb0c294d1d17b0859babb9dad2cbe643e844ed133d2df5bc1840df4ca20d
                                                                                                                                                                                                                                        • Instruction ID: da3d672ab28793b64a59f5aefec01b3ff2d04bb5836ef6615a95aacdf952dc74
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 93fbfb0c294d1d17b0859babb9dad2cbe643e844ed133d2df5bc1840df4ca20d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9B11C270E1A74C9FDB55EFAC885A6ADBFF1FF15300F0402ADD48597162CA34A802CB41
                                                                                                                                                                                                                                        Function 00007FFD9B400DB9 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6e32c958048cdbdd406ada7416405fb0e909ec1565f75337c18788f3bfe20c03
                                                                                                                                                                                                                                        • Instruction ID: c144dff9c420f64a467729e593e2d7d0a9c016ffcea07ee0aa8d1907c0b7f28e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6e32c958048cdbdd406ada7416405fb0e909ec1565f75337c18788f3bfe20c03
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A101F73161FBDD1FD352877898212A17FE0EF86215F0906EBD4C4CB2A2C91658568391
                                                                                                                                                                                                                                        Function 00007FFD9B608766 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c4c8c16e545984f52caf8d6809344ddc552b784df999de316c1107d4ceb084c6
                                                                                                                                                                                                                                        • Instruction ID: 75366c0751ce7917245cc97c43f1e1ab69db61f6db9f0ee2aa72f86d50d941ad
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c4c8c16e545984f52caf8d6809344ddc552b784df999de316c1107d4ceb084c6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3D01F731B1D90D4FEFA8DA6D9850BE873D2EF88350F4540B6C00DC7296DE24AD42C741
                                                                                                                                                                                                                                        Function 00007FFD9B3F9CE0 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 1d55447e06ddbae52739be854352d8531c63f34f6624e7dce39fd916e78ed926
                                                                                                                                                                                                                                        • Instruction ID: d9c8f292065b59823a00d6d29f1d6164319baa8238d53864829a599af06c2d1a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1d55447e06ddbae52739be854352d8531c63f34f6624e7dce39fd916e78ed926
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0601F712B0FA5A0AE329F77DA8A64E4BF90EF8212070953FBD0088A1D7DC45A5854281
                                                                                                                                                                                                                                        Function 00007FFD9B3FBEB7 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 03091e4893af0601e5a96076ebabd1c14b0bd57ed77663162f4525ab4715c3bc
                                                                                                                                                                                                                                        • Instruction ID: 9657b09e53787917fc85ef0bd78478143e3c30bd540fbb3d2f30d1a02a7e6461
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 03091e4893af0601e5a96076ebabd1c14b0bd57ed77663162f4525ab4715c3bc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 74012621B1EF4E0FE7B4EBAC64A54B5BFF0EB94210B0507BEC04AC319AED586C468341
                                                                                                                                                                                                                                        Function 00007FFD9B3FAE30 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 86b72f2ad2312221c91ac00ccdadd2c60ecc1c8ae6d8d20da01b4a17d68aed83
                                                                                                                                                                                                                                        • Instruction ID: 21bbdf819949754a9eeb7e5868f0248165803dd4fca1d60eb7fd3d18bc2e0e51
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 86b72f2ad2312221c91ac00ccdadd2c60ecc1c8ae6d8d20da01b4a17d68aed83
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 56016721B35E4E4BEBA8E71C806096677E2FFA82007454579D44DC3299DE55E8418740
                                                                                                                                                                                                                                        Function 00007FFD9B3FCCB7 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f67ebe2c4dccb12c7d93b971ee5ea1d2556e3ac31fcb5be7dc82e5d72376c3dc
                                                                                                                                                                                                                                        • Instruction ID: 1d81837de4a27f92896270660dd3dfc59df062a1a2f4648abe6c6cbc120866f5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f67ebe2c4dccb12c7d93b971ee5ea1d2556e3ac31fcb5be7dc82e5d72376c3dc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4E01F521769F4A8AE364F3389414BE6A6D1FFC0300F45457ED09EC7296EEA875448381
                                                                                                                                                                                                                                        Function 00007FFD9B3F4228 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 936102325533882fec8c753b90c3036a3a3aecd3aad08961d19027e36d1cd2de
                                                                                                                                                                                                                                        • Instruction ID: c2a3e9705074010a041042503618f251d83d2626e1f4aac82df4570cb52a1a67
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 936102325533882fec8c753b90c3036a3a3aecd3aad08961d19027e36d1cd2de
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C7F06D35E4951D9BEB20EE95A4402F9FBB4EB82355F01203ED40CA7150D77ADA95CB48
                                                                                                                                                                                                                                        Function 00007FFD9B3F8A22 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 560904fe4729301fea7cf8d807c215f6fead7ad01e77a6cdbebb984286c656c5
                                                                                                                                                                                                                                        • Instruction ID: ce70aabd586ee470d5b54c2100b1ce7a3c0f2039074179df63203c057953b133
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 560904fe4729301fea7cf8d807c215f6fead7ad01e77a6cdbebb984286c656c5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E7F0F635E4950D8BEB34EE94E4002F9FBB4EB42350F01223AC00CA3150D73AD695C744
                                                                                                                                                                                                                                        Function 00007FFD9B3F5EF3 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 776ed0560db9744f572bce924ce63065df31aabd3d0d0310101e20d5e2ec35d9
                                                                                                                                                                                                                                        • Instruction ID: d9d6e5e99800de97b71ecc161dd6d8c0c275f4bf1ffaddca7e1e61312d39bb71
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 776ed0560db9744f572bce924ce63065df31aabd3d0d0310101e20d5e2ec35d9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 70016571E0461D8FDB98EF98D490AEDBBB2EF98311F40017AD419E7294CA34A882CB40
                                                                                                                                                                                                                                        Function 00007FFD9B606442 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9e0deed72e721ef5d09cfc085a0819e7ed30c6cb27aae60a312ba93cc0447add
                                                                                                                                                                                                                                        • Instruction ID: 448863cf3609c8138729b055abae7c4bce172820dea036169dafa77ed97d908d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e0deed72e721ef5d09cfc085a0819e7ed30c6cb27aae60a312ba93cc0447add
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3CF02273A0E6890FE75A8AAA68620F87FE0EF83014B0400FFC0D6C7062EA1930038744
                                                                                                                                                                                                                                        Function 00007FFD9B3F4B89 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7473851afa390f82fe8464c9d2f746dbe9e63851154cb57fba7fc45b8eee8f4c
                                                                                                                                                                                                                                        • Instruction ID: a61f3b34697db4ef43752a4361b93796066aa5090104da1c3efe72840873b3b1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7473851afa390f82fe8464c9d2f746dbe9e63851154cb57fba7fc45b8eee8f4c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7801F721A1E6CD2FE751E76488652E97FA0EF05210F4506EBD099C70A3ED2529498301
                                                                                                                                                                                                                                        Function 00007FFD9B612CD2 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ac3e65249ba5c98a8312b50570cf92f69f943a6ac835a1e1226f957f42a5e4bd
                                                                                                                                                                                                                                        • Instruction ID: 744f20a5ce8374aae9cb5fbe17cbb350652c545aa833bc5c74481b9491bcfefc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ac3e65249ba5c98a8312b50570cf92f69f943a6ac835a1e1226f957f42a5e4bd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8BF08C31F0A91D0EEBA0EAA894612FC73A1FF88354F011076D44DE32A2CE287D068790
                                                                                                                                                                                                                                        Function 00007FFD9B3F25AB Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0c235514eeb20d789b41e604fac2c33293328b0198e2eb82d7aa3166c377f85e
                                                                                                                                                                                                                                        • Instruction ID: 6f9770abb83c6451b8731fff9afbc1817c1dde4169381c5a49591022e5f436f9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0c235514eeb20d789b41e604fac2c33293328b0198e2eb82d7aa3166c377f85e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1E01DA71B1851D8EEBA4EBA998987E9B7B1EB98301F4002E6904DD2191DE346985CF41
                                                                                                                                                                                                                                        Function 00007FFD9B3F9E95 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 23d0c93ccce2b5df97edf662083595b16fe0c2b1114a8d3c9d6a6054fd796f3b
                                                                                                                                                                                                                                        • Instruction ID: 55553545d7b19e260de237ee23bac35aefbec0be3de64b95fa0caa887a4957a8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 23d0c93ccce2b5df97edf662083595b16fe0c2b1114a8d3c9d6a6054fd796f3b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B8F08951F0FD8E0FE266F26C18791B81FC2DBA512074A02FAD448C72A7ED0D99424381
                                                                                                                                                                                                                                        Function 00007FFD9B400F12 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2d62c7aaf939b3041e2f03ec962aa985d8026db31c7d342d94dba4c8a334320d
                                                                                                                                                                                                                                        • Instruction ID: 494ca84dd96ba6d682506d9a535352fc3d1a7f06136fa95d7adcf1e4c76aa4ef
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2d62c7aaf939b3041e2f03ec962aa985d8026db31c7d342d94dba4c8a334320d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 73F0282160EACE1FE326977CC4649A07FE0EF46710B0901FBC4C8CB2A3DA5CA9949341
                                                                                                                                                                                                                                        Function 00007FFD9B3FAF99 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 78dbc38e34434f50348077be5d897edff970fd519f58faaea75ce7e0adc070fd
                                                                                                                                                                                                                                        • Instruction ID: 48ef40e1687c277bec584e125884ab27ab8b18fe5234519f07e8209084917f1a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 78dbc38e34434f50348077be5d897edff970fd519f58faaea75ce7e0adc070fd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9B01D130A2DBCE4FDB46EF6888681BD7FF0FF15200B0504EBD868C71A2DA7559148341
                                                                                                                                                                                                                                        Function 00007FFD9B3F4B1D Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b646d48b21c71daa4654b65670ecc99a3c8eace3bc3921ef6c14fdf1fb9e0521
                                                                                                                                                                                                                                        • Instruction ID: 0e24b8a2900abc0d1de05bbe466604cb662134158206e7ebbb0d11ab2ce251c3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b646d48b21c71daa4654b65670ecc99a3c8eace3bc3921ef6c14fdf1fb9e0521
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0E01D630A0A68D8FEB54EF14D8612E97BA1FF55300F02047DE40CC7592DA75E950C740
                                                                                                                                                                                                                                        Function 00007FFD9B3F4DD6 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d4385061537f422757a8adb64de97a64d380ed11152c24146b9738ef857b0611
                                                                                                                                                                                                                                        • Instruction ID: 6fb161641141c58bca6a646f2c317d222be8f2d0814496f74aa4c8fa7d2c7273
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d4385061537f422757a8adb64de97a64d380ed11152c24146b9738ef857b0611
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5201E831E1590D8FEBA4EB68D860FA8BBB2EF54304F5081B9D00DE3395CE756981CB00
                                                                                                                                                                                                                                        Function 00007FFD9B3F5E26 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2da5f89b530fd8e8632838ddd2da96f52bf675cff9281cac926b7b1716da0dfe
                                                                                                                                                                                                                                        • Instruction ID: 31f49dae2f4a39de063f5862d9bf85ef448e4bcbc590164d631d762bb6fde545
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2da5f89b530fd8e8632838ddd2da96f52bf675cff9281cac926b7b1716da0dfe
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EBF0C260A1EA8D5FCB51DB78482AAA9BFE0EF16200F0406EED08CD7153C920A8468740
                                                                                                                                                                                                                                        Function 00007FFD9B3F3E50 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9fe599ef726663b6b1b7f9810624c61a2d58fd64849007456d30eb4975d6d2f4
                                                                                                                                                                                                                                        • Instruction ID: c3cc991f452a86d1b41bad69d59cbf6a675f123c41b553af2fd1c0c74fb92682
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9fe599ef726663b6b1b7f9810624c61a2d58fd64849007456d30eb4975d6d2f4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 77F0A031E0560C8BE720EEA9E0003FDFBB4EF4A305F41103DD00CA2290C37A9695CB54
                                                                                                                                                                                                                                        Function 00007FFD9B3F5038 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ebb2dfbeaf27f9d60886e078adce651c1a1c7d6fff380ec5cc66b07a779e49da
                                                                                                                                                                                                                                        • Instruction ID: ede638dd12c256f5e4c3fa46bfd60f7a11c0b5136073650f365f642a01749a45
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ebb2dfbeaf27f9d60886e078adce651c1a1c7d6fff380ec5cc66b07a779e49da
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5CF01D31F1592E8FDBA4EF589860BE8B372FB45211F4041BAD01DD3295CE3569458B41
                                                                                                                                                                                                                                        Function 00007FFD9B3F3B3E Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c0f88f6f248b3051db5bfcab546f831190a44597d1fd81d38c3838ff455bb6a3
                                                                                                                                                                                                                                        • Instruction ID: f4733507e3d9704e6accb56a4996f140e7241ae15601f336fd7b8cc6d087ce2c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c0f88f6f248b3051db5bfcab546f831190a44597d1fd81d38c3838ff455bb6a3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 96F06D71E1991DAFDBA0DBA894645FDBBF0EF68311B0001AAD549D7251DB345A01C780
                                                                                                                                                                                                                                        Function 00007FFD9B3F5DC7 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e8c79dade2e542714073360b3fcb164abcacc324fdc7cf7401b71efbb808853f
                                                                                                                                                                                                                                        • Instruction ID: f7ace9bfa83bdde54255e421088c8631b6853bea20d73c79e8a9fdd748025b47
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e8c79dade2e542714073360b3fcb164abcacc324fdc7cf7401b71efbb808853f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E9F0447091968C9FD751EFB888556A9BFF0EF15300F5405DDD889D7252CA307986CB41
                                                                                                                                                                                                                                        Function 00007FFD9B3F8691 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 75e191324d4aaea9975794b0f3cb10e2f049cd143d3aa1f67be70c2cdda150e3
                                                                                                                                                                                                                                        • Instruction ID: f73a576cdc52d61c180e37298b69319d5f7ac3a40507a3ac1188ced84ba0c8c8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 75e191324d4aaea9975794b0f3cb10e2f049cd143d3aa1f67be70c2cdda150e3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2BF03031D4560D9FD724EE95E4403FDB6B4FB4B206F41263DD10CA2191D7B99694CB44
                                                                                                                                                                                                                                        Function 00007FFD9B402DDD Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5505d971288fe95ac1cbd47c92ae8978d50c66376f38f77f15ae18bc8fe36e9b
                                                                                                                                                                                                                                        • Instruction ID: 1ac51e12a556a9984d6746a09b2a60b3a1069350534081c3133e5324172cf172
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5505d971288fe95ac1cbd47c92ae8978d50c66376f38f77f15ae18bc8fe36e9b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 90F0A731B5AD0D4BDAB4A66CE065BBA73D2EB85300F85083AD48AC22E5DD5939429781
                                                                                                                                                                                                                                        Function 00007FFD9B3F8CE8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7f18dce410e4c0a13c2eb425277f00e39bdfb5091f7e933644abc922069b969c
                                                                                                                                                                                                                                        • Instruction ID: efb969ed454f097a30f20e1ff37a51d83505636bf131b4bc294fcdb2594c1967
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7f18dce410e4c0a13c2eb425277f00e39bdfb5091f7e933644abc922069b969c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7DF0A030D4660D8FDB24EE94A5003FCB6B4FB0A305F41223DD00CB2180C3799B98CB24
                                                                                                                                                                                                                                        Function 00007FFD9B603AD7 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e5a8e6245b19cf358413a4699dd7e5bd71efd7fa6ab4848df3433572f339531f
                                                                                                                                                                                                                                        • Instruction ID: 40b03786308ba57e38838da1452cf9c0974ef6ddb2c013be848a6325cea4c1e6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e5a8e6245b19cf358413a4699dd7e5bd71efd7fa6ab4848df3433572f339531f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 69F08C3070A80D8FD6A4EB1DE058B7873E1EF59312F2204B5E09DCB6A2CA36EC468740
                                                                                                                                                                                                                                        Function 00007FFD9B3FAF5E Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: bf4bd6c9491c3610d39c3769dc9d0080433282b784b08610426ba8a6503126e8
                                                                                                                                                                                                                                        • Instruction ID: 796ccd3abf87fb36e102e06e7ea19c141af72a2e3256ffbc89a7ae592ba5da87
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bf4bd6c9491c3610d39c3769dc9d0080433282b784b08610426ba8a6503126e8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 48F0A020B6DA8E9FEB59EBA488256F97BB1EF45200B0504FAD41DC71E7CE68A9008700
                                                                                                                                                                                                                                        Function 00007FFD9B3F80DD Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7b9ca2b0cd757104de9feff57e16e3aa353d753b8ef911ea712bd7e4ef355f17
                                                                                                                                                                                                                                        • Instruction ID: a553b41a08725cf18d3e2d144b77d5376e3d1a5a60af67fd15d89b606c722e75
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7b9ca2b0cd757104de9feff57e16e3aa353d753b8ef911ea712bd7e4ef355f17
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4FF05470A5965D5EE7B9EF6884253FA7691EF45300F0109BF900DE3291DF355A448A80
                                                                                                                                                                                                                                        Function 00007FFD9B603AFC Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2403405911.00007FFD9B600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B600000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b600000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 67f6c78042836790eba17300cbb4041b15c3a1342f4775502bef79dbb101d865
                                                                                                                                                                                                                                        • Instruction ID: abf1038f1f965e4b9dc48530e03dfcd579521aea2155b73f94959d62840d8b5d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 67f6c78042836790eba17300cbb4041b15c3a1342f4775502bef79dbb101d865
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E3E0923170D80D8FD6B0D60DE418774B3E1FF99322B1201B6D05DC7260DE25EC014B40
                                                                                                                                                                                                                                        Function 00007FFD9B3FBC4A Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f85904378928568e98cefc9368ffc2c86363fca8d684b2288aabcdf7b2352f10
                                                                                                                                                                                                                                        • Instruction ID: 34158e532a32571331a88cafa62a287f2af0ca53a71023dab3321ad33a43043e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f85904378928568e98cefc9368ffc2c86363fca8d684b2288aabcdf7b2352f10
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 45F03065F2550D5BEB94F7989895AA877B2FF98B40F814064E058D32A2DE2968018710
                                                                                                                                                                                                                                        Function 00007FFD9B3F3B03 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: cf9c0069e0bcb61643e0fffe76bc4b0559b8227b64a4ee0570534eea11f4106e
                                                                                                                                                                                                                                        • Instruction ID: 003554df33132b841b4e50f1b331a0532f02066eb3cae1c5d7f3fff15f72b899
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cf9c0069e0bcb61643e0fffe76bc4b0559b8227b64a4ee0570534eea11f4106e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4CE0927091DA8C6FD741EBB8486A8FEBFF0DF1A200F0805EDD4C8A7163C9246082DB51
                                                                                                                                                                                                                                        Function 00007FFD9B3F8075 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 282e440f311efab26f53e818d22a629634bf4671653662bbfd57667b54a93b93
                                                                                                                                                                                                                                        • Instruction ID: fb2d092526a7112c4051149bc4022136f0860696172f294e096a993bc2efeac2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 282e440f311efab26f53e818d22a629634bf4671653662bbfd57667b54a93b93
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 81E0E531E1441C8ECB54EF68E851BECB7B1FF44205F4040BAE01CE3286CA7969818B00
                                                                                                                                                                                                                                        Function 00007FFD9B571A42 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2375885450.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 421609044a5eb7b4890131d185a92c6efaba0e12c0911fadf46415ca9e08cd38
                                                                                                                                                                                                                                        • Instruction ID: cd083583e1cc656671b4273e78ce266113ad4593f0fd582b9346ba6c0fc8f2ae
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 421609044a5eb7b4890131d185a92c6efaba0e12c0911fadf46415ca9e08cd38
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6FD02B32F0884D8ACF618B6C60545ECBFE2DFE9122F01817BD08DC3003CA3115534380
                                                                                                                                                                                                                                        Function 00007FFD9B3FAF7C Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f32903c1314b91d0188b1d63e255ae87cdde766b23ba22efdece749c5d01eef4
                                                                                                                                                                                                                                        • Instruction ID: 97f27f1a67874ff4daac830cbcfc61fd52d913584bb37eda09a96c49cb0d3ed9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f32903c1314b91d0188b1d63e255ae87cdde766b23ba22efdece749c5d01eef4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A0C08091A2F58D4FEB24F3BD0C574847F40EF2621078804FCD048CF192E44925454311
                                                                                                                                                                                                                                        Function 00007FFD9B3FAAF0 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 1df12a7fe4183e1ad1b4a7db0f6643e5294e447f02e5952e256ba1ee823b5190
                                                                                                                                                                                                                                        • Instruction ID: cb712281b8576925aec16e536537455f18a2888def3b26268f882c6db5f5b9a8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1df12a7fe4183e1ad1b4a7db0f6643e5294e447f02e5952e256ba1ee823b5190
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7CC08C20A35A0D8AD728F76849810187AA0FF08200FC001F8E00CC2284D66D91504705
                                                                                                                                                                                                                                        Function 00007FFD9B3F5D2A Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ca1fccf636f8473abcabc9b034a6669d1c9fcd1e7abd60ec8c12c7ee55b97163
                                                                                                                                                                                                                                        • Instruction ID: bcd2500d48aab083cd600822a6bd781085c9ce447357619a6003d9fba0e8fbc7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ca1fccf636f8473abcabc9b034a6669d1c9fcd1e7abd60ec8c12c7ee55b97163
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B1C09B62F0A91D4FFBD4DA5C449C5ECAFE1FFB4254B010135D048D3155DF2054015780
                                                                                                                                                                                                                                        Function 00007FFD9B3F81AE Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 85a043b32fae2342c7180a69fc8567e9cece59b978929ae142ba3e7511a68d0a
                                                                                                                                                                                                                                        • Instruction ID: d0e3d5884d508263c81b57a36120957cbb3acd57cde12ade476d6168d35e7045
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 85a043b32fae2342c7180a69fc8567e9cece59b978929ae142ba3e7511a68d0a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DBC09B5455559C5FC3D29779087C7A57FD0DF15000B4805DF44CDD71D1C520254E5B44

                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                        Function 00007FFD9B570F2D Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2375885450.00007FFD9B570000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B570000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b570000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ba1fda45325e57683b88edc7324896cad906b2ba3ade04359baffb817e4e2c4f
                                                                                                                                                                                                                                        • Instruction ID: e1602ca9dde7eff370637363b15fd9d3ac0052149d7651760173648b8631a0b7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ba1fda45325e57683b88edc7324896cad906b2ba3ade04359baffb817e4e2c4f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 88310C71A0E6CD4FDF91DF6888A59E97FF0FF55600F0901A7D098C71A3DA3466418780
                                                                                                                                                                                                                                        Function 00007FFD9B3FCC3F Relevance: 5.0, Strings: 4, Instructions: 45COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2341537134.00007FFD9B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3F0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ffd9b3f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 13x$2;x$3Cx$4Kx
                                                                                                                                                                                                                                        • API String ID: 0-455930644
                                                                                                                                                                                                                                        • Opcode ID: d82e35dfc5be12207ef09cacf702a168a5408147636eacdf58e9e5ee4c31187f
                                                                                                                                                                                                                                        • Instruction ID: 078bea99eb94fb95083d48e20204d945ee84b58b28185ac3d5299c4f165d17d4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d82e35dfc5be12207ef09cacf702a168a5408147636eacdf58e9e5ee4c31187f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 36F05E0B737439469104339DF8314EC6799EBCA13A79953F3D269CF5C70CCA248A42A9

                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                        Function 050485C0 Relevance: 2.9, Strings: 2, Instructions: 430COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq$d
                                                                                                                                                                                                                                        • API String ID: 0-3334038649
                                                                                                                                                                                                                                        • Opcode ID: 7279bee54ca5367e789ecfd1ae1fce42984e9e03f03ecf9d62ec4a151e31bb73
                                                                                                                                                                                                                                        • Instruction ID: fc28e1238bc46bc75836b05e100fd3cbf40e543fae85b5d404e0b8b4a841ceb9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7279bee54ca5367e789ecfd1ae1fce42984e9e03f03ecf9d62ec4a151e31bb73
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A8025774A006058FDB14CF19D58496EBBF2FF88314B25CA69D45AAB365DB30F846CF90
                                                                                                                                                                                                                                        Function 0504E1F0 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (Acq
                                                                                                                                                                                                                                        • API String ID: 0-1548273396
                                                                                                                                                                                                                                        • Opcode ID: 71117a3813218fa2c0ca52e2cb3437d6462167ebd86a93e1babc2ea05a5b9994
                                                                                                                                                                                                                                        • Instruction ID: 64137f04d31a5c76399ba4145bb6334f08857ad6d0fd2cf8b8fab890e61b0d28
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 71117a3813218fa2c0ca52e2cb3437d6462167ebd86a93e1babc2ea05a5b9994
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F2C15E70B102159FDB55DFA9E598AAEBBF6BF84200F144069E806EB390DF749C06CF52
                                                                                                                                                                                                                                        Function 05149FE0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • KiUserExceptionDispatcher.NTDLL ref: 05149FF8
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864408440.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5140000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 6842923-0
                                                                                                                                                                                                                                        • Opcode ID: a399b585896394b212dbc5ef125b0aef343b9d27c36e5f108d7cd545c9223dea
                                                                                                                                                                                                                                        • Instruction ID: c873367b15fb1a90b8872548e2c573c45447b11ad6f6565e3265330fa1445e50
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a399b585896394b212dbc5ef125b0aef343b9d27c36e5f108d7cd545c9223dea
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6A112436B412049BEB25CA78E4447FDB7A7FF88368F158125D916A32D0EB36A909CF50
                                                                                                                                                                                                                                        Function 05149FD0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • KiUserExceptionDispatcher.NTDLL ref: 05149FF8
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864408440.0000000005140000.00000040.00000800.00020000.00000000.sdmp, Offset: 05140000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5140000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 6842923-0
                                                                                                                                                                                                                                        • Opcode ID: c59518d7645eab05bf59627a493a907f12eed83c85cfceba523e13a15f8290c7
                                                                                                                                                                                                                                        • Instruction ID: e2f2a47c33b8c622f1654a99abd43633e2490ecb10897e9d8e8ff9b03fc91036
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c59518d7645eab05bf59627a493a907f12eed83c85cfceba523e13a15f8290c7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 39115936A422049FEB25CA34D8447FDBB77EF44264F159114D811632C0EF35A90ACF60
                                                                                                                                                                                                                                        Function 0504C4D8 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq
                                                                                                                                                                                                                                        • API String ID: 0-149360118
                                                                                                                                                                                                                                        • Opcode ID: 9f70e68c69e156d5c537489233938bc42df31726c8f04936486e75bcd35c334a
                                                                                                                                                                                                                                        • Instruction ID: 50491b5591cf7bea1a555c05a4fc15ba7f8817406ff354f47ce5a33404c18190
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9f70e68c69e156d5c537489233938bc42df31726c8f04936486e75bcd35c334a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DB51C2313057418FD325DB24E458A6EBBE2FFC5210B08C6B9D44A8B365DE34EC46CB90
                                                                                                                                                                                                                                        Function 0504E428 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (Acq
                                                                                                                                                                                                                                        • API String ID: 0-1548273396
                                                                                                                                                                                                                                        • Opcode ID: 9c76fb4ab8f97102ba67184fbde3ab2fc3aee59a3799173e810c9d0fe0cfc976
                                                                                                                                                                                                                                        • Instruction ID: c98d8d083af103d3a97ea46d1217814eb5dddcdf290a7d812cdb83b595b12f2e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9c76fb4ab8f97102ba67184fbde3ab2fc3aee59a3799173e810c9d0fe0cfc976
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E8414070B102159FDB54DF65E898AAEBBF6BF88244F144029D816AB350EF749C06CF92
                                                                                                                                                                                                                                        Function 0504E438 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (Acq
                                                                                                                                                                                                                                        • API String ID: 0-1548273396
                                                                                                                                                                                                                                        • Opcode ID: 6925e561f259eb97a778146cc4ea4b01656572bd7457fd85a485038a3462fef2
                                                                                                                                                                                                                                        • Instruction ID: 7018df6a20ce1ad800561aab4cf8965af67e38bb5d20e0053aea6dbbdbd087ae
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6925e561f259eb97a778146cc4ea4b01656572bd7457fd85a485038a3462fef2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 71413070B102159FDB54DF65E898AAEBBF6BF88240F104039D8169B350EF749C06CF92
                                                                                                                                                                                                                                        Function 050485B0 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq
                                                                                                                                                                                                                                        • API String ID: 0-149360118
                                                                                                                                                                                                                                        • Opcode ID: 43c03e81f2337335115838e17aa3803e857a635d173a55b4af8135b7c894f2d0
                                                                                                                                                                                                                                        • Instruction ID: b25a31728f4e5597e362a89890de8590f823efeec7efbc30f8fe8994f603f8d1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 43c03e81f2337335115838e17aa3803e857a635d173a55b4af8135b7c894f2d0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E6417874B006058FDB54DF19D580A6EB7F2FF89314B25CA69E81AAB360CB30E841CF90
                                                                                                                                                                                                                                        Function 050445C8 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (bq
                                                                                                                                                                                                                                        • API String ID: 0-149360118
                                                                                                                                                                                                                                        • Opcode ID: 15ecc7fbc27d072f922eb90777682b5bc3e848f1a1e91a734cf32be46e033f07
                                                                                                                                                                                                                                        • Instruction ID: 81b7dcb76eacaddab626fd0f47bd44b334c6109a52968137cee5b7ef403e6466
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 15ecc7fbc27d072f922eb90777682b5bc3e848f1a1e91a734cf32be46e033f07
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D221CF357002049FCB04EB6DF444A6EB7EBEFC922475984B9E50ACB355DE34EC028B92
                                                                                                                                                                                                                                        Function 0504E7D8 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5f15f48462ed4e9e16496b103cc71657dd0b803f08a1de99aeaf1b8b7f56297f
                                                                                                                                                                                                                                        • Instruction ID: bf5aee2facfbfd88de00d0a09efcb5f80a133fbe0878abc857eb61fcfd05e4d9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5f15f48462ed4e9e16496b103cc71657dd0b803f08a1de99aeaf1b8b7f56297f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 08617171B002059BDB54DB69E599A6EBBFBBF88600B24842DD406D7390DF74AC06CF92
                                                                                                                                                                                                                                        Function 0504E7C7 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7affad4d07954552c01f620f0a13a699430e9e87a2d829ded041152ea3bf6ac1
                                                                                                                                                                                                                                        • Instruction ID: f2b7e38403e6087a400a4aeaa1e66da343216fea63dd6968ec6cf5591d8dc2a9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7affad4d07954552c01f620f0a13a699430e9e87a2d829ded041152ea3bf6ac1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E9417671B002059BDB15DB79E454A6EB7FBBFC8600B248429D416E7390DF74AC058F92
                                                                                                                                                                                                                                        Function 0504E1E0 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 4fb130813bcb61bb726f87ee9b20cef47482bd0ea4f360373981c9a4cdf2a2db
                                                                                                                                                                                                                                        • Instruction ID: f76ca31f87cd9ede28baa3fc1246f4fbe90d5ff86b80990d22e19e6db3ecc755
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4fb130813bcb61bb726f87ee9b20cef47482bd0ea4f360373981c9a4cdf2a2db
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FD417C71E012498FCB15CFA9D58499EBBF6BF89310F248069E801AB365DB70ED46CF40
                                                                                                                                                                                                                                        Function 05046720 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 119b1df7ea130f2be1cea56169a58769eab1b5f82157fae56b833334668687ff
                                                                                                                                                                                                                                        • Instruction ID: e097c5e48d8317bd30a05e099eddfbefdd4670c14b337c93e5cd736a17c61d7c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 119b1df7ea130f2be1cea56169a58769eab1b5f82157fae56b833334668687ff
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E6418D71A01208EFCB00DBA8F584A5EBBF6FF85314F508579D4199B341EB35A945CF91
                                                                                                                                                                                                                                        Function 05044520 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: decc667cc8ce619887e0346319a52ad9d5b520b6af8f2abbc56399991f6dedb2
                                                                                                                                                                                                                                        • Instruction ID: f3889562dbed1116601bf0e2561316751e1fc87c0b8b84a3705a8025994abf7c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: decc667cc8ce619887e0346319a52ad9d5b520b6af8f2abbc56399991f6dedb2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B22127322047820FCB019B3CFD50B9EBFA6EFC62507444679E148CB362DA14E94687A1
                                                                                                                                                                                                                                        Function 0504C558 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6edb342e81f3d952a58271f22b5076add15c8f16dad5c58176f46463a4fff59a
                                                                                                                                                                                                                                        • Instruction ID: c6e87227522b2d188798996b802f37206898a1ab23e8589ea83aec164c997120
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6edb342e81f3d952a58271f22b5076add15c8f16dad5c58176f46463a4fff59a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D43181753016018FD325DF24E59892AFBF2FF89310B18C668E4468B765CA34EC46CF90
                                                                                                                                                                                                                                        Function 050466E0 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6017d9a816aa9a824459e87ffa85084e5092115fbcedc316f9815f3671c3e382
                                                                                                                                                                                                                                        • Instruction ID: dd8eef6dce203d5f3988402ecea6f681f3512d2c6c892f341b3f073e8f5ab86b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6017d9a816aa9a824459e87ffa85084e5092115fbcedc316f9815f3671c3e382
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E62124B6A012149FD300DF6CEA8479EBBE6FF86314F408176D0198B381E736D885CBA1
                                                                                                                                                                                                                                        Function 04CCD6A4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000002.1865781828.0000000004CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CCD000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_2_4ccd000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 655e4499065c676785792f097e005eb1cb07e6ea9acacda83e533386375eb292
                                                                                                                                                                                                                                        • Instruction ID: 9a61406443a9bc6184c55c1211d2c46bb1b39fcc1cd98c9a0609ef40a2788cea
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 655e4499065c676785792f097e005eb1cb07e6ea9acacda83e533386375eb292
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 442103B5644240DFCB05DF14D9C0B2ABF66FB84324F24C57DE90A4B25AC336E456DBA2
                                                                                                                                                                                                                                        Function 04CCD69F Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000002.1865781828.0000000004CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CCD000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_2_4ccd000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 402c6a8559748647fef594cd0c7d6ed57cea98399c5c457cfc3d558c3163147f
                                                                                                                                                                                                                                        • Instruction ID: 89f796f2c616dca2b407f2cadfd0ff7a30223a41da40364c99ac2b8c5b77095b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 402c6a8559748647fef594cd0c7d6ed57cea98399c5c457cfc3d558c3163147f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3A11D376544280CFCB16CF10D9C4B16BF72FB84314F24C6ADD9094B65AC33AE55ACBA2
                                                                                                                                                                                                                                        Function 04CCD005 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000002.1865781828.0000000004CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CCD000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_2_4ccd000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c48c40a6716764c60a967e75b937e33eecdcfbf1112bc573cc9ce985742e4bd1
                                                                                                                                                                                                                                        • Instruction ID: 9166fabdce354683d798771f53a807fe8ec52234f096b01aa11b240023c687bc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c48c40a6716764c60a967e75b937e33eecdcfbf1112bc573cc9ce985742e4bd1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D601526100D3C05FE7128B259C94752BFB4EF53224F19C5DBD8888F193C2695845C772
                                                                                                                                                                                                                                        Function 04CCD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000002.1865781828.0000000004CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CCD000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_2_4ccd000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c2c496913301cda21c643350c9b29abb5f6a48b6270ca2e1baab67e0c239718a
                                                                                                                                                                                                                                        • Instruction ID: 7b0c84fb9fbe9eb9e6dc014ce2824d8016f0e72c9f9b4a757093e26dbc30ef09
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c2c496913301cda21c643350c9b29abb5f6a48b6270ca2e1baab67e0c239718a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6501A7715083409AE7104E2EED84767BF99EF41324F18C53EED4A4A246D779E942C6B1
                                                                                                                                                                                                                                        Function 0504858F Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0fbecd79598e3a83d64d2a00be0ece84f7dac1538b4365fa1b6b8e70de095f2c
                                                                                                                                                                                                                                        • Instruction ID: b802483026748ea71e84c3eed12705e8beff68ab9024fa6c3887781562d0d924
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0fbecd79598e3a83d64d2a00be0ece84f7dac1538b4365fa1b6b8e70de095f2c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D0F0AFB27042018FCB14DB68E894A6DB7A1EF94361F118679E915AB368D724D941CA60
                                                                                                                                                                                                                                        Function 0504C4C9 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5f545ca7abdba34492f5753b9614f8be2623d9382c46d455584327510695a8f8
                                                                                                                                                                                                                                        • Instruction ID: 69466c2716196ca4d25c9e84b828ddfc3e5f8c81c6732d1292e9aa938a829ba5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5f545ca7abdba34492f5753b9614f8be2623d9382c46d455584327510695a8f8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B6F0EC3224530167D6219515F804BFF73DAEBC1650F444679A40586654DE61DE9485D0
                                                                                                                                                                                                                                        Function 050445B8 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 66998ce31c52afaa5468bae39c4bbcdb2d049d8024179bd529285d9f8a365263
                                                                                                                                                                                                                                        • Instruction ID: 9ff3da0f1df0a25a9d609ae0fbb53450b7809588f856a9a84d7d57c894ce0ea3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 66998ce31c52afaa5468bae39c4bbcdb2d049d8024179bd529285d9f8a365263
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 59F082353041418FDB109B6CF954B6E7BE7ABC92147044539E049CB324DB21EC468BA1
                                                                                                                                                                                                                                        Function 0504C688 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 1985ff9e3103c37121a52f308ca47dad49a10b5084afe6e058dfcdb39a1e9445
                                                                                                                                                                                                                                        • Instruction ID: 0fa4c4482b1e04ab1812dba3044427fbeaab2ae5d7f80787de9f137c0a04a78a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1985ff9e3103c37121a52f308ca47dad49a10b5084afe6e058dfcdb39a1e9445
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5DF0E5357002128FE744DA79F9005AAB3DBBF882A0304D1B5DA09CB738EE71DC02CB80
                                                                                                                                                                                                                                        Function 05044560 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 677762c31877a82d39ae15ec94133c7eec08351c851a1dbdcac664a32eb999d7
                                                                                                                                                                                                                                        • Instruction ID: e5456704c487691da9bb6f997903f270959c482e77e45fe63f81dcc074733b92
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 677762c31877a82d39ae15ec94133c7eec08351c851a1dbdcac664a32eb999d7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D6E09232740A461B8A15A66EF99091EFAE7EFC5260380843DE51ECB314DE60EC4947A5
                                                                                                                                                                                                                                        Function 0504C1D0 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b1bdc6557a03f010450f754da4b84a73ad66f36641bd4f39f9c532db956ff6ba
                                                                                                                                                                                                                                        • Instruction ID: a6bc77ec20edf1d819800328b8f5a9da94230b15a6e044d795d07ae060c37525
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b1bdc6557a03f010450f754da4b84a73ad66f36641bd4f39f9c532db956ff6ba
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3EE0D83220121027C2006758F44ABAF7FDAE7C5768F44012CF84683344DE68A90687A1
                                                                                                                                                                                                                                        Function 050446C8 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e0817b356ac71401648067b2e53909a9e61c3058b2fee15ff5a8670601ab10eb
                                                                                                                                                                                                                                        • Instruction ID: af9360a08cc76269fb3fe75aac153ef93d7b7171320cb968a1aa9150deb22db8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e0817b356ac71401648067b2e53909a9e61c3058b2fee15ff5a8670601ab10eb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8EE0C9B1E05208ABCF44DFA8E84569DFBB9AB44310F0081B9A809E3350EA749A148F95
                                                                                                                                                                                                                                        Function 0504C678 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 218d1356ddee05f8b3d1a641a5f03ecf7843c84a121310c3c60bd4f168a87ed2
                                                                                                                                                                                                                                        • Instruction ID: 74fcb840759dbeaf385ea272fe7d0b5da638a383def6bc19a30022fd7604b7e9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 218d1356ddee05f8b3d1a641a5f03ecf7843c84a121310c3c60bd4f168a87ed2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 38E0263A60121293E3005630EA0439BA7D7FF40240F0889798C8485254EE38D843CB90
                                                                                                                                                                                                                                        Function 0504C1E0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b11fbf924880f644d72ebbcf266fe99745eebdeeb1398e8679ddfe6aa4c6bfec
                                                                                                                                                                                                                                        • Instruction ID: 4773fdb8114d276171f6c15122045ed34367e7afb497f77c863d74c49b8b9160
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b11fbf924880f644d72ebbcf266fe99745eebdeeb1398e8679ddfe6aa4c6bfec
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CBE0C2322007044BC214B758F04955E7FEAFBC6764B84042DE84683744CE75B84ACBA5
                                                                                                                                                                                                                                        Function 050446D8 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: cc7b178e7d0d91f9620def35bf7d93c5719561e0b5e7d95c36e8d42ce9abd7e6
                                                                                                                                                                                                                                        • Instruction ID: 932c8a0ec59a08c25fd0e747b5c2701d1cf6dc26e1cc82c8222fefd32e510a23
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cc7b178e7d0d91f9620def35bf7d93c5719561e0b5e7d95c36e8d42ce9abd7e6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1EE09274E0520CAFCB44EFA8D54559DFBF5AB48300F0081AAA809A7354EA745A458F81
                                                                                                                                                                                                                                        Function 050446A0 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 166162c5f6a5e28b2286f4b0faa2b91bf590a8dfcebd1e9c79039b9a092027c9
                                                                                                                                                                                                                                        • Instruction ID: 824af47187c644f9a8de41106ebf2b568a35fd6842127c20396131be483a1fa8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 166162c5f6a5e28b2286f4b0faa2b91bf590a8dfcebd1e9c79039b9a092027c9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 84D022E280C3087BCB10CB94E80A31CFB68C703300F0802E9F808A3320E0B2D4000AD2
                                                                                                                                                                                                                                        Function 050446B0 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 00569c33ea62acecad41d2ed920be7ae27988152d6979a9622df0f7dd159b3b4
                                                                                                                                                                                                                                        • Instruction ID: 8852bc75330cb5a187c575a93f3f2af58861646f397a09c9751e9f2e8b52842f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 00569c33ea62acecad41d2ed920be7ae27988152d6979a9622df0f7dd159b3b4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BEB0927094530CAF8620DB99990185ABBACDA0A310F0001D9F90887320D976E91056D1
                                                                                                                                                                                                                                        Function 05040440 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000010.00000003.1864332878.0000000005040000.00000040.00000800.00020000.00000000.sdmp, Offset: 05040000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_16_3_5040000_rundll32.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 4c714966010a08060a00f0b067de998417cc8f6bb6c2952de8f0ffdd7746bea8
                                                                                                                                                                                                                                        • Instruction ID: 3c41472d0497b9979f60b121d044a5d92b4cdb9ba468666915c9aefa928f9570
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4c714966010a08060a00f0b067de998417cc8f6bb6c2952de8f0ffdd7746bea8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 62C048734A4100AFCB01CB90DD8BB9A7BA1BB76316F985624E10081214EB3E8592DE15